background image

13-12

Configuring Port-Based and User-Based Access Control (802.1X)

General Operating Rules and Notes

If a port on switch “A” is configured as an 802.1X supplicant and is 
connected to a port on another switch, “B”, that is not 802.1X-aware, 
access to switch “B” will occur without 802.1X security protection.

On a port configured for 802.1X with RADIUS authentication, if the 
RADIUS server specifies a VLAN for the supplicant and the port is a trunk 
member, the port will be blocked. If the port is later removed from the 
trunk, the port will allow authentication of the supplicant. Similarly, if the 
supplicant is authenticated and later the port becomes a trunk member, 
the port will be blocked. If the port is then removed from the trunk, it will 
allow the supplicant to re-authenticate.

If a client already has access to a switch port when you configure the port 
for 802.1X authenticator operation, the port will block the client from 
further network access until it can be authenticated. 

Meshing is not supported on ports configured for 802.1X port-access 
security.

A port can be configured as an authenticator 

or

 an 802.1X supplicant, or 

both. Some configuration instances block traffic flow or allow traffic to 
flow without authentication. Refer to “Configuring Switch Ports To Oper-
ate As Supplicants for 802.1X Connections to Other Switches” on page 13-
51. 

To help maintain security, 802.1X and LACP cannot both be enabled on 
the same port. If you try to configure 802.1X on a port already configured 
for LACP (or the reverse) you will see a message similar to the following:

Error configuring port 

X

: LACP and 802.1X cannot be run together.

Applying Web Authentication or MAC Authentication Concurrently 
with Port-Based 802.1X Authentication:

 While 802.1X port-based access 

control can operate concurrently with Web Authentication or MAC Authenti-
cation, port-based access control is subordinate to Web-Auth and MAC-Auth 
operation. If 802.1X operates in port-based mode and MAC or Web authenti-
cation is enabled on the same port, any 802.1X authentication has no effect on 
the ability of a client to access the controlled port. That is, the client’s access 
will be denied until the client authenticates through Web-Auth or MAC-Auth 
on the port. Note also that a client authenticating with port-based 802.1X does 
not open the port in the same way that it would if Web-Auth or MAC-Auth were 
not enabled. That is, any non-authenticating client attempting to access the 
port after another client authenticates with port-based 802.1X would still have 
to authenticate through Web-Auth or MAC-Auth.

Summary of Contents for E3800 Series

Page 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...

Page 2: ......

Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...

Page 4: ...of Microsoft Corporation Java is a US trademark of Sun Microsystems Inc Disclaimer The information contained in this document is subject to change without notice HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors ...

Page 5: ...tting Started with Access Security 1 10 Physical Security 1 10 Quick Start Using the Management Interface Wizard 1 11 CLI Management Interface Wizard 1 12 WebAgent Management Interface Wizard 1 13 SNMP Security Guidelines 1 14 Precedence of Security Options 1 16 Precedence of Port Based Security Options 1 16 Precedence of Client Based Authentication Dynamic Configuration Arbiter 1 16 Network Immun...

Page 6: ...ccess Credentials 2 15 TACACS Encryption Key Authentication 2 15 RADIUS Shared Secret Key Authentication 2 16 SSH Client Public Key Authentication 2 16 Operating Notes 2 19 Restrictions 2 21 Front Panel Security 2 23 When Security Is Important 2 23 Front Panel Button Functions 2 24 Clear Button 2 24 Reset Button 2 25 Restoring the Factory Default Configuration 2 25 Configuring Front Panel Security...

Page 7: ...on Rate Filtering and Configuring Sensitivity 3 10 Configuring the Per Port Filtering Mode 3 11 Example of a Basic Connection Rate Filtering Configuration 3 12 Viewing and Managing Connection Rate Status 3 14 Viewing Connection Rate Configuration 3 14 Listing Currently Blocked Hosts 3 15 Unblocking Currently Blocked Hosts 3 15 Configuring and Applying Connection Rate ACLs 3 17 Connection Rate ACL ...

Page 8: ... MAC Authentication 4 15 Configuring the Switch To Access a RADIUS Server 4 15 Configuring Web Authentication 4 18 Overview 4 18 Configuration Commands for Web Authentication 4 19 Show Commands for Web Authentication 4 26 Customizing Web Authentication HTML Files Optional 4 32 Implementing Customized Web Auth Pages 4 32 Operating Notes and Guidelines 4 32 Customizing HTML Templates 4 33 Customizab...

Page 9: ...ents 5 4 General Authentication Setup Procedure 5 4 Configuring TACACS on the Switch 5 7 Before You Begin 5 7 CLI Commands Described in this Section 5 8 Viewing the Switch s Current Authentication Configuration 5 8 Viewing the Switch s Current TACACS Server Contact Configuration 5 9 Configuring the Switch s Authentication Methods 5 10 Using the Privilege Mode Option for Login 5 10 Authentication P...

Page 10: ...Switch for RADIUS Authentication 6 6 Outline of the Steps for Configuring RADIUS Authentication 6 8 1 Configure Authentication for the Access Methods You Want RADIUS To Protect 6 9 2 Enable the Optional Access Privilege Option 6 12 3 Configure the Switch To Access a RADIUS Server 6 14 4 Configure the Switch s Global RADIUS Parameters 6 17 Using Multiple RADIUS Server Groups 6 21 Commands 6 21 Enha...

Page 11: ...ssion 6 50 Unique Acct Session ID Operation 6 50 Common Acct Session ID Operation 6 52 Configuring RADIUS Accounting 6 53 Steps for Configuring RADIUS Accounting 6 53 1 Configure the Switch To Access a RADIUS Server 6 54 2 Optional Reconfigure the Acct Session ID Operation 6 56 3 Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server 6 57 4 Optional Configure Session ...

Page 12: ... Static ACLs 7 16 How a RADIUS Server Applies a RADIUS Assigned ACL to a Client on a Switch Port 7 18 General ACL Features Planning and Configuration 7 19 The Packet filtering Process 7 20 Operating Rules for RADIUS Assigned ACLs 7 20 Configuring an ACL in a RADIUS Server 7 22 7 22 Nas Filter Rule Options 7 23 ACE Syntax in RADIUS Servers 7 25 Example Using the Standard Attribute 92 In an IPv4 ACL...

Page 13: ...ng a Local Login Operator and Enable Manager Password 8 9 2 Generating the Switch s Public and Private Key Pair 8 9 Configuring Key Lengths 8 12 3 Providing the Switch s Public Key to Clients 8 12 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 8 15 5 Configuring the Switch for SSH Authentication 8 20 6 Use an SSH Client To Access the Switch 8 24 Further Information on SS...

Page 14: ...the WebAgent 9 11 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior 9 13 Using the CLI Interface to Enable SSL 9 14 Using the WebAgent to Enable SSL 9 14 Common Errors in SSL Setup 9 16 10 IPv4 Access Control Lists ACLs Introduction 10 1 Overview of Options for Applying IPv4 ACLs on the Switch 10 3 Static ACLS 10 3 RADIUS Assigned ACLs 10 3 Command Summary for Standard IPv...

Page 15: ...t Masks and the Masks Used with ACLs 10 35 Rules for Defining a Match Between a Packet and an Access Control Entry ACE 10 36 Configuring and Assigning an IPv4 ACL 10 40 Overview 10 40 General Steps for Implementing ACLs 10 40 Options for Permit Deny Policies 10 41 ACL Configuration Structure 10 41 Standard ACL Structure 10 42 Extended ACL Configuration Structure 10 43 ACL Configuration Factors 10 ...

Page 16: ...diting Rules 10 86 Sequence Numbering in ACLs 10 87 Inserting an ACE in an Existing ACL 10 88 Deleting an ACE from an Existing ACL 10 90 Resequencing the ACEs in an ACL 10 91 Attaching a Remark to an ACE 10 92 Operating Notes for Remarks 10 95 Displaying ACL Configuration Data 10 97 Display an ACL Summary 10 98 Display the Content of All ACLs on the Switch 10 99 Display the RACL and VACL Assignmen...

Page 17: ...tion 11 1 DHCP Snooping 11 2 Overview 11 3 Enabling DHCP Snooping 11 4 Enabling DHCP Snooping on VLANS 11 6 Configuring DHCP Snooping Trusted Ports 11 6 Configuring Authorized Server Addresses 11 7 Using DHCP Snooping with Option 82 11 8 Changing the Remote id from a MAC to an IP Address 11 10 Disabling the MAC Address Check 11 10 The DHCP Binding Database 11 11 Operational Notes 11 12 Log Message...

Page 18: ... Debugging Dynamic IP Lockdown 11 30 Differences Between Switch Platforms 11 31 Using the Instrumentation Monitor 11 33 Operating Notes 11 34 Configuring Instrumentation Monitor 11 35 Examples 11 36 Viewing the Current Instrumentation Monitor Configuration 11 37 12 Traffic Security Filters and Monitors Overview 12 1 Introduction 12 2 Filter Limits 12 2 Using Port Trunks with Filters 12 2 Filter Ty...

Page 19: ...res 13 1 User Authentication Methods 13 2 802 1X User Based Access Control 13 3 802 1X Port Based Access Control 13 3 Alternative To Using a RADIUS Server 13 4 Accounting 13 4 Terminology 13 4 General 802 1X Authenticator Operation 13 8 Example of the Authentication Process 13 8 VLAN Membership Priority 13 9 General Operating Rules and Notes 13 11 General Setup Procedure for 802 1X Access Control ...

Page 20: ... Characteristics of Mixed Port Access Mode 13 30 Configuring Mixed Port Access Mode 13 31 802 1X Open VLAN Mode 13 32 Introduction 13 32 VLAN Membership Priorities 13 33 Use Models for 802 1X Open VLAN Modes 13 33 Operating Rules for Authorized Client and Unauthorized Client VLANs 13 39 Setting Up and Configuring 802 1X Open VLAN Mode 13 43 802 1X Open VLAN Operating Notes 13 48 Option For Authent...

Page 21: ...op Prevention is Disabled 14 4 MIB Support 14 5 Blocking Unauthorized Traffic 14 5 Trunk Group Exclusion 14 6 Planning Port Security 14 7 Port Security Command Options and Operation 14 8 Port Security Display Options 14 8 Configuring Port Security 14 12 Retention of Static Addresses 14 17 MAC Lockdown 14 23 Differences Between MAC Lockdown and Port Security 14 24 MAC Lockdown Operating Notes 14 26...

Page 22: ...s 15 6 Configuring IP Authorized Managers for the Switch 15 7 WebAgent Configuring IP Authorized Managers 15 9 Web Proxy Servers 15 10 How to Eliminate the Web Proxy Server 15 10 Using a Web Proxy Server to Access the WebAgent 15 10 Building IP Masks 15 11 Configuring One Station Per Authorized Manager IP Entry 15 11 Configuring Multiple Stations Per Authorized Manager IP Entry 15 11 Additional Ex...

Page 23: ... system information and IP addressing Management and Configuration Guide Describes how to configure manage and monitor basic switch operation Advanced Traffic Management Guide Explainshowtoconfigure traffic management features such as VLANs MSTP QoS and Meshing Multicast and Routing Guide Explains how to configure IGMP PIM IP routing and VRRP features Access Security Guide Explains how to configur...

Page 24: ... Guide IPv6 Configuration Guide Basic Operation Guide 802 1Q VLAN Tagging X 802 1X Port Based Priority X 802 1X Multiple Authenticated Clients Per Port X Access Control Lists ACLs X Access Control Lists ACLs IPv6 X AAA Authentication X Authorized IP Managers X Authorized IP Managers IPv6 X Authorized Manager List Web Telnet TFTP X Auto MDIX Configuration X BOOTP X Config File X Console Access X Co...

Page 25: ...CMP X Event Log X Factory Default Settings X Flow Control 802 3x X File Management X File Transfers X Friendly Port Names X Guaranteed Minimum Bandwidth GMB X GVRP X Identity Driven Management IDM X IGMP X Interface Access Telnet Console Serial Web X IP Addressing X IPv6 Addressing X IP Preserve IPv6 X Software Features Manual Management and Configuration Advanced Traffic Management Multicast and ...

Page 26: ...Pv6 X Meshing X MLD Snooping IPv6 X Monitoring and Analysis X Multicast Filtering X Multiple Configuration Files X Network Management Applications SNMP X Nonstop Switching 8200zl switches X Out of Band Management OOBM X OpenView Device Management X OSPFv2 IPv4 X OSPFv3 IPv6 X Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Gui...

Page 27: ...PoE and PoE X Protocol Filters X Protocol VLANS X QinQ Provider Bridging X Quality of Service QoS X RADIUS Authentication and Accounting X RADIUS Based Configuration X Rate Limiting X RIP X RMON 1 2 3 9 X Routing X Routing IP Static X Route Redistribution X SavePower Features X Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security G...

Page 28: ...SL Secure Socket Layer X Stack Management Stacking X Syslog X System Information X TACACS Authentication X Telnet Access X Telnet IPv6 X TFTP X Time Protocols TimeP SNTP X Time Protocols IPv6 X Traffic Mirroring X Traffic Security Filters X Troubleshooting X Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 Configurat...

Page 29: ...Filtering X VLANs X VLAN Mirroring 1 static VLAN X Voice VLAN X VRRP X Web Authentication RADIUS Support X Web based Authentication X Web UI X Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 Configuration Guide Basic Operation Guide ...

Page 30: ...xxviii ...

Page 31: ...ith Access Security on page 1 10 It outlines potential threats for unauthorized switch and network access and provides guidelines on how to prepare the switch for secure network operation About This Guide This Access Security Guide describes how to configure security features on your switch Not e For an introduction to the standard conventions used in this guide refer to the Getting Started chapte...

Page 32: ...w Introduction For the latest version of all HP networking switch documentation including Release Notes covering recently added features and other software topics visit the HP networking web site at www hp support manuals ...

Page 33: ...n page 1 11 for details Table 1 1 Access Security and Switch Authentication Features Feature Default Setting Security Guidelines More Information and Configuration Details Manager password no password ConfiguringalocalManagerpasswordisafundamental step in reducing the possibility of unauthorized access through the switch s WebAgent and console CLI and Menu interfaces TheManagerpasswordcaneasilybe ...

Page 34: ...em Information in the Management and Configuration Guide For RADIUS accounting refer to Chapter 6 RADIUS Authentication and Accounting SSH disabled SSH provides Telnet like functions through encrypted authenticated transactions of the following types client public key authentication uses one or more public keys from clients that must be stored on the switch Only a client with a private key that ma...

Page 35: ... across the network through the following Telnet and other terminal emulation applications The WebAgent SNMP with a correct community name Chapter 15 Using Authorized IP Managers Secure Management VLAN disabled This feature creates an isolated network for managing the HP switches that offer this feature When a secure managementVLANisenabled CLI Menuinterface and WebAgent access is restricted to po...

Page 36: ...Port Based and User Based Access Control 802 1X Web and MAC Authentication none These options are designed for application on the edge of a network to provide port based security measures for protecting private networks and the switch itself from unauthorized access Because neither method requires clients to run any special supplicant software both are suitable for legacy systems and temporary acc...

Page 37: ...osis and automated updates to the switch via the USB flash drive When enabled in secure mode this is done with secure credentials to prevent tampering Note that the USB Autorun feature is disabled automatically once a password has been set on the switch Management and Configuration Guide Appendix A File Transfers refer to the section USB Autorun Traffic Security Filters none These statically confi...

Page 38: ...relied upon for a complete security solution Chapter 10 IPv4 Access Control Lists ACLs Port Security MACLockdown and MAC Lockout none The features listed below provide device based access security in the following ways Port security Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port This enables i...

Page 39: ...ps defeat ICMP denial of service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions but throttle additional traffic that may be due to worms or viruses reducing their spread and effect Management and Configuration Guide in the chapter on Port Traffic Controls refertothesection ICMP Rate Limiting Spanning Tree Protection none These features prevent your sw...

Page 40: ...ility existing in your network and take steps to ensure that all reasonable security precautions are in place This includes both configurable security options and physical access to the switch Switch management access is available through the following methods Front panel access to the console serial port see Physical Security Inbound Telnet access Web browser access WebAgent SNMP access For guide...

Page 41: ...SB to Transfer Files to and from the Switch and Using USB Autorun in the Management and Configuration Guide Appendix A File Transfers Quick Start Using the Management Interface Wizard The Management Interface wizard provides a convenient step by step method to prepare the switch for secure network operation It guides you through the process of locking down the following switch operations or protoc...

Page 42: ...ss for help Operator password not configured Confirm password Manager password Confirm password Restrict SNMP access to SNMPv3 only no SNMPv2 community name notpublic SNMPv2 Community access level unrestricted Telnet enabled yes SSH enabled no Web management enabled yes Restrict Web access to SSL no Timeout for ssh telnet sessions 0 Operator password Manager password Restrict SNMP access to SNMPv3...

Page 43: ...zard Operating Notes and Restrictions Once a password has been configured on the switch you cannot remove it using the CLI wizard Passwords can be removed by executing the no password command directly from the CLI When you restrict SNMP access to SNMPv3 only the options SNMPv2 community name and access level will not appear The wizard displays the first available SNMPv2 community and allows the us...

Page 44: ...trap configuration The default configuration supports versions 1 and 2c compatibility which uses plain text and does not provide security options HP recommends that you enable SNMP version 3 for improved security SNMPv3 includes the ability to configure restricted access and to block all non version 3 messages which blocks version 1 and 2c unprotected operation SNMPv3 security options include conf...

Page 45: ...Auth MIB described above is not desirable for your network then immediately after downloading and booting from the K 12 xx or greater software for the first time use the following command to disable this feature snmp server mib hpswitchauthmib excluded If you choose to leave the authentication configuration MIB accessible then you should do the following to help ensure that unauthorized work stati...

Page 46: ...en port 1 Disabled Enabled physical port 2 MAC lockout Applies to all ports on the switch 3 MAC lockdown 4 Port security 5 Authorized IP Managers 6 Application features at higher levels in the OSI model such as SSH The above list does not address the mutually exclusive relationship that exists among some security features Precedence of Client Based Authentication Dynamic Configuration Arbiter The ...

Page 47: ...CA arbitrates the assignment of attributes on both authenticated and non authenticated ports DCA does not support the arbitration and assignment of client specific attributes on trunk ports Network Immunity Manager Network Immunity Manager NIM is a plug in to HP E PCM Plus and a key component of the HP Network Immunity security solution that provides comprehensive detection and per port response t...

Page 48: ...or unauthenticated port Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated client session Note that the attribute profile assigned to a client is often a combination of NIM configured RADIUS assigned and statically configured settings Precedence is always given to the temporarily applied NIM configured parameters over RADIUS assigned and locally configured par...

Page 49: ...epending on which are next in the hierarchy of precedence In addition DCA supports conflict resolution for QoS port based CoS priority and rate limiting ingress by determining whether to configure either strict or non strict resolution on a switch wide basis For example if multiple clients authenticate on a port and a rate limiting assignment by a newly authenticating client conflicts with the rat...

Page 50: ...n a user connects to the network This operation enables the network to approve or deny access at the edge of the network instead of in the core distinguish among different users and what each is authorized to do configure guest access without compromising internal security Criteria for enforcing RADIUS based security for IDM applications includes classifiers such as authorized user identity author...

Page 51: ...using SNMP For more information refer to Using SNMP To View and Configure Switch Authentication Features on page 6 30 Usernames and passwords for Manager and Operator access can also be configured using the Management Interface Wizard For more information refer to Quick Start Using the Management Interface Wizard on page 1 11 Feature Default Menu CLI WebAgent Set Usernames none page 2 9 Set a Pass...

Page 52: ...end after the specified period of inactivity thusgivingyouaddedsecurityagainstunauthorizedconsoleaccess You can use either of the following to set the inactivity timer Menu Interface System Information screen Select 2 Switch Configu ration CLI Use the console inactivity timer 0 1 5 10 15 20 30 60 120 Level Actions Permitted Manager Access to all console interface areas This is the default level Th...

Page 53: ...t allow management access for that session Passwords are case sensitive When configuring an operator or manager password a message will appear indicating that USB autorun has been disabled For more information on the autorun feature refer to the Appendix A on File Transfers in the Manage ment and Configuration Guide for your switch C a u t i o n If the switch has neither a Manager nor an Operator ...

Page 54: ...rd a Select Set Manager Password or Set Operator Password You will then be prompted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you w...

Page 55: ...d Manager Level access 1 Enter the console at the Manager level 2 Go to the Set Passwords screen as described above 3 Select Delete Password Protection You will then see the following prompt Continue Deletion of password protection No 4 Press the Space bar to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot sta...

Page 56: ...ection means to eliminate password security This command prompts you to verify that you want to remove one or both passwords then clears the indicated password s This command also clears the username associated with a password you are removing For example to remove the Operator password and username if assigned from the switch you would do the following Figure 2 3 Removing a Password and Associate...

Page 57: ...r password pass phrase The username must be in quotes for example The little brown fox A space is not allowed as part of a username without the quotes A password that includes a space or spaces should not have quotes Restrictions for the Setmib Command Usernames and passwords can be set using the CLI command setmib They cannot be set using SNMP Quotes are permitted for enclosing other characters f...

Page 58: ...oftware version that does not include this feature use one of the following procedures 1 Reset the username and or password to be no more than 16 characters in length and without any special characters using the CLI command password or the equivalent in the WebAgent Then execute a CLI write memory command required if the include credentials feature has ever been enabled HP Switch config password m...

Page 59: ...er a software version downgrade clear the password by using the Clear button on the switch to regain access Then boot into a software version that supports long passwords and perform steps 1 2 or 3 in the preceding section WebAgent Setting Passwords and Usernames In the WebAgent you can enter passwords and optional usernames See the WebAgent Online Help for detailed information ...

Page 60: ...re authentication sessions with TACACS servers RADIUS shared secret encryption keys used to encrypt packets and secure authentication sessions with RADIUS servers Secure Shell SSH public keys used to authenticate SSH clients that try to connect to the switch Benefits of Saving Security Credentials The benefits of including and saving security credentials in a configuration file are as follows Afte...

Page 61: ...and operator usernames and passwords RADIUS shared secret keys SNMP and 802 1X authenticator port access security credentials and SSH client public keys in the running configuration Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running config file To view the currently configured security set...

Page 62: ...e hash type pass hash password operator user name name hash type pass hash where name is an alphanumeric string for the user name assigned to the manager or operator hash type indicates the type of hash algorithm used SHA 1 or plain text pass hash is the SHA 1 authentication protocol s hash of the pass word or clear ASCII text For example a manager username and password may be stored in a running ...

Page 63: ...password For more information about configuring local manager and operator passwords refer to Configuring Username and Password Security on page 2 1 in this guide For more information about configuring a port access password for 802 1X client authentication see 802 1X Port Access Credentials on page 2 15 in this guide Syntax no password manager operator port access user name name hash type passwor...

Page 64: ...h and the station The following example shows the additional security credentials for SNMPv3 users that can be saved in a running config file Figure 2 4 Example of Security Credentials Saved in the Running Config Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or the SHA 1 hash of the password the password is displayed and saved in a configuration fil...

Page 65: ...rately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch For information on the new password command syntax see Password Command Options on page 2 13 After you enter the complete password port access command syntax the password is set You are not prompted to enter the password a second time TACAC...

Page 66: ...itted across the network For more information refer to 3 Configure the Switch To Access a RADIUS Server on page 6 14 in this guide RADIUS shared secret encryption keys can be saved in a configuration file by entering this command HP Switch config radius server key keystring The option keystring is the encryption key in clear text used for secure communication with all or a specific RADIUS server S...

Page 67: ...contains SSH client public key configurations the downloaded public keys overwrite any existing keys as happens with any other configured values Syntax ip ssh public key manager operator keystring Set a key for public key authentication manager allows manager level access using SSH public key authentication operator allows operator level access using SSH public key authentication keystring a legal...

Page 68: ... BhkXjtHhz6gD701otgizUOO6 Xzf4 J9XkJHkOCnbHIqtB1sbRYBTxj3NzA K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP pv2scqPPXQghgaTkdPwGGtdFW K4xRskAnIaxuG0qLbnekohi ND4TkKZd EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf QV95kdNwWIbxuusBAzvfaJptd gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7 1kVOdS G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK piG Q1el1w9zsMaxPA1XJzSY imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6...

Page 69: ...a switch boots up The configuration of all security credentials requires that you use the write memory command to save them in the startup configuration in order for them to not be lost when you log off A warning message reminds you to permanently save a security setting After you enter theinclude credentials command the currently configured manager and operator usernames and passwords RADIUS shar...

Page 70: ...configuration files Each configuration filecontainsitsownsecuritycredentialsandthesesecurityconfigurations may differ It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image and that all security credentials in the file are supported If you have already enabled the stora...

Page 71: ...MPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file To display the engine ID of a switch enter the show snmpv3 engine id command To configure authentication and privacy passwords for SNMPv3 users enter the snmpv3 user command If the engine ID in the saved SNMPv3 s...

Page 72: ...e by using the include credentials command Note that the password port access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch For more information about how to use the password port access command to configure operator passwords and usernames for 802 1X authentica tion see DoThese...

Page 73: ...h Insurance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records must be secure It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key For some customers this is no longer true Others simply...

Page 74: ...tton and the Clear button When using redundant management the System Reset button reboots the entire chassis See Resetting the Management Module in the Management and Configuration Guide for more information on resetting the management modules in a redundant management switch Figure 2 6 Front Panel Button Locations on a HP E3800 Switch Clear Button Pressing the Clear button alone for one second re...

Page 75: ...set Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button 2 While holding the Reset button press and hold the Clear button 3 Release the Reset button Reset Clear Reset Clear Reset Clear ...

Page 76: ...le or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does not affect the operation of the Reset Clear combination described under Restor ing the Factory Default Configuration on page 2 25 Configure the Clear button to reb...

Page 77: ...is enabled then pressing the Clear button erases the local usernames and passwords from the switch When reset on clear is enabled pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch Enabling reset on clear automatically enables clear password Default Disabled Note If you have stored security credentials including the local manager and operator ...

Page 78: ...red with the ability to recover a lost password Refer to Password Recovery Process on page 2 34 Default Enabled CAUTION Disabling this option removes the ability to recover a password on the switch Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security If you disable password recovery and then lose the password you will have to use...

Page 79: ...disables the password clear function of the Clear button so that pressing it has no effect on any local usernames and passwords For redundant management systems this command only affects the active management module Default Enabled Note Although the Clear button does not erase passwords when disabled you can still use it with the Reset button Reset Clear to restore the switch to its factory defaul...

Page 80: ...ord clear Enabled reset on clear Disabled Thus To enable password clear with reset on clear disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password clear For redundant management systems this command only aff...

Page 81: ... the Reset Clear combination from being used for this purpose Shows password clear disabled Enables password clear with reset on clear disabled by the no statement at the beginning of the command Shows password clear enabled with reset on clear disabled Syntax no front panel security factory reset Disables or re enables the following functions associated with using the Reset Clear buttons in the c...

Page 82: ...prior to an attempt to recover from a lost username password situation Contacting your HP Customer Care Center to acquire a one time use password Disabling or Re Enabling the Password Recovery Process Disabling the password recovery process means that the only method for recovering from a lost manager username if configured and password is to reset the switch to its factory default configuration w...

Page 83: ...t parameter is enabled If it is disabled use the front panel security factory reset command to enable it 3 Press and release the Clear button on the front panel of the switch 4 Within 60 seconds of pressing the Clear button enter the following com mand no front panel security password recovery Syntax no front panel security password recovery Enables or using the no form of the command disables the...

Page 84: ...ir is to use the Reset Clear button combination described under Restoring the Factory Default Configuration on page 2 25 This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured To use the password recovery option to recover a lost password 1 Note the switch s base...

Page 85: ...name and Password Security Password Recovery algorithm is randomized based upon your switch s MAC address the pass word will change as soon as you use the one time use password provided to you by the HP Customer Care Center ...

Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...

Page 87: ...It is primarily concerned with the class of worm like malicious code that tries to replicate itself by using vulnerabilities on other hosts that is weaknesses in network applications behind unsecured ports Agents of this variety operate by choosing a set of hosts to attack based on an address range sequential or random that is exhaustively searched either by blindly attempting to make connections ...

Page 88: ...re tool you can use in your inci dent management program to help detect an manage worm type IT security threats received in inbound IP traffic Major benefits of this tool include Behavior based operation that does not require identifying details unique to the code exhibiting the worm like operation Handles unknown worms Needs no signature updates Protectsnetwork infrastructure byslowing orstopping...

Page 89: ... other hosts Filtering Options In the default configuration connection rate filtering is disabled When enabled on a port connection rate filtering monitors inbound IP traffic for a high rate of connection requests from any given host on the port If a host appears to exhibit the worm like behavior of attempting to establish a large number of outbound IP connections in a short period of time the swi...

Page 90: ...ly blocked Sensitivity to Connection Rate Detection The switch includes a global sensitivity setting that enables adjusting the ability of connection rate filtering to detect relatively high instances of con nection rate attempts from a given source Application Options For the most part normal network traffic is distinct from the traffic exhibited by malicious agents However when a legitimate netw...

Page 91: ... are useful only if you need to exclude inbound traffic from your connection rate filtering policy For example a server responding to network demand may send a relatively high number of legitimate connection requests This can generate a false positive by exhibiting the same elevated connection rate behavior as a worm Using a connection rate ACL to apply an exception for this server allows you to e...

Page 92: ...und traffic destined for that host is still permitted Once a throttle has been triggered on a port temporarily blocking inbound IP traffic it cannot be undone during operation the penalty period must expire before traffic will be allowed from the host Unblocking a Currently Blocked Host A host blocked by connection rate filtering remains blocked until explicitly unblocked by one of the following m...

Page 93: ...ting high connection rates 5 Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior 6 Hostsdemonstratinghigh butlegitimateconnectionrates suchasheavily used servers may trigger a connection rate filter Configure connection rate ACLs to create policy exceptions for trusted hosts Exceptions can be confi...

Page 94: ...ts and helps to identify hosts that may require updates or patches to eliminate malicious code 1 Configure connection rate filtering to throttle on all ports 2 Set global sensitivity to medium 3 If SNMP trap receivers are available in your network use the snmp server command to configure the switch to send SNMP traps 4 Monitor the Event Log or the available SNMP trap receivers if configured on the...

Page 95: ... in this section to enable connection rate filtering on the switch and to apply the filtering on a per port basis You can use the ACL commands in the next section to adjust a filter policy on a per vlan basis to avoid filtering traffic from specific trusted source addresses Command Page Global and Per Port Configuration connection rate filter sensitivity low medium high aggressive 3 10 filter conn...

Page 96: ...ensitivity to the lowest possible sensitivity which allows a mean of 54 destinations in less than 0 1 seconds and a corresponding penalty time for Throttle mode if configured of less than 30 seconds medium Sets the connection rate sensitivity to allow a mean of 37 destinations in less than 1 second and a corresponding penalty time for Throttle mode if configured between 30 and 60 seconds high Sets...

Page 97: ...fy only generates an Event Log message Sends a similar message to any SNMP trap receivers configured on the switch throttle If the switch detects a relatively high number of IP connection attempts from a specific host this option generates the notify only messaging and also blocks all inbound traffic from the offending host for a penalty period After the penalty period the switch allows traffic fr...

Page 98: ...lowing response to high connection rate traffic on the switch Ports B1 B3 Throttle traffic from the transmitting host s Port B4 Respond with Notify Only to identify the transmitting host s Ports B9 D1 and D2 Block traffic from the transmitting host s Figure 3 3 illustrates the configuration steps and resulting startup config file HP Switch Server Company Intranet VLAN 1 15 45 100 1 VLAN 10 15 45 2...

Page 99: ...x ip routing snmp server community public Unrestricted snmp server host 15 45 200 75 public vlan 1 name DEFAULT_VLAN untagged 1 9 14 24 ip address 10 10 10 145 255 255 255 0 no untagged 10 13 21 22 ip proxy arp exit vlan 10 name VLAN10 untagged 10 13 no ip address ip proxy arp exit vlan 15 name VLAN15 untagged 21 22 no ip address ip proxy arp exit filter connection rate 14 notify only filter conne...

Page 100: ... details use show config or show running page 3 15 Figure 3 4 Example of Displaying the Connection Rate Status Sensitivity and Per Port Configuration Syntax show connection rate filter Displays the current global connection rate status enabled disabled and sensitivity setting and the cur rent per port configuration This command does not display the current optional connection rate ACL con figurati...

Page 101: ... filtering configuration The source IP address block imposed by connection rate filtering does not age out This is to help prevent a malicious host from automatically regaining access to the network Syntax show connection rate filter all hosts blocked hosts throttled hosts all hosts Lists by VLAN membership all hosts currently detected in a throttling or blocking state along with a state indicator...

Page 102: ...g the sensitivity level on the associated port or configuring a connection rate ACL to create a filtering exception for the host Note For a complete list of options for unblocking hosts see page 3 6 Syntax connection rate filter unblock all host ip addr all Unblocks all hosts currently blocked due to action by connection rate filtering on ports where block mode has been configured host ip addr Unb...

Page 103: ...mate traffic from a trusted source and apply connection rate filtering only to inboundtraffic from untrustedsources Forexample wherea connection rate policy has been configured you can apply a connection rate ACL that causes the switch bypass connection rate policy filtering on traffic from A trusted server exhibiting a relatively high IP connection rate due to heavy demand A trusted traffic sourc...

Page 104: ...d VLAN and creates an exception to the connection rate filter policy configured on each port A connection rate ACL has no effect on ports in the VLAN that are not configured for connection rate filtering A connection rate ACL accepts inbound legitimate traffic from trusted sources without filtering the traffic for the configured connection rate policy You can configure anACL to assign policy filte...

Page 105: ...ext HP Switch config crf nacl If the ACL already exists this command simply puts the CLI into the ACE context Syntax filter ignore ip any host ip addr ip addr mask length Used in the ACE context above to specify the action of the connection rate ACE and the source IP address of the traffic that the ACE affects Inbound IP traffic from Host A with relatively high number of IP connection rate attempt...

Page 106: ... for traffic addressed by the ACE any Applies the ACEs action filter or ignore to traffic having any SA host ip addr Applies the ACEs action filter or ignore to traffic having the specified host SA ip addr mask length Applies the ACEs action filter or ignore to traffic having an SA within the range defined by either src ip addr cidr mask bits or src ip addr mask Use this criterion for traffic rece...

Page 107: ...udp tcp ip addr mask length udp tcp options Used in the ACE context above to specify the action of the connection rate ACE filter or ignore and the UDP TCP criteria and SA of the IP traffic that the ACE affects filter ignore filter This option assigns a policy of filtering drop ping IP traffic having an SA that matches the source address criteria in the ACE ignore This option specifies a policy of...

Page 108: ...port udp data tcp data operator tcp port udp data operator udp port operator eq gt lt neq range eq port nbr or name Equal To to have a match with the ACE entry the TCP or UDP source port number in a packet must be equal to the specified port number gt port nbr or name Greater Than to have a match with the ACE entry the TCP or UDP source port number in a packet must be greater than the specified po...

Page 109: ...e 53 ntp Network Time Protocol 123 radius Remote Authentication Dial In User Service 1812 radius old Remote Authentication Dial In User Service 1645 rip Routing Information Protocol 520 snmp Simple Network Management Protocol 161 snmp trap Simple Network Management Pro tocol 162 tftp Trivial File Transfer Protocol 69 HP Switch config ignore tcp host 15 75 10 11 destination port eq 1812 source port...

Page 110: ...are configured for connection rate filtering A connection rate ACL does not apply to ports in the VLAN that are not configured for connection rate filtering The no form of the command removes the connection rate ACL assignment from the VLAN Note The switch allows only one connection rate ACL assign ment per VLAN If a connection rate ACL is already assigned to a VLAN and you assign another connecti...

Page 111: ... The server at IP address 15 45 50 17 frequently transmits a relatively high rate of legitimate connection requests which now triggers connection rate blocking of the server s IP address on port D2 This causes periodic unnecessary blocking of access to the server The administrator needs to maintain blocking protection from the Company Intranet while allowing access to the server at 15 45 50 17 Bec...

Page 112: ...e IP address SA exactly matches the specified IP address The ACL will automatically include the implicit filter ACE as the last entry which means that any traffic that is not from the desired server will be subject to filtering by the connection rate policy configured on port D2 2 Assigning the ACL to the VLAN through which traffic from the server enters the switch Figure 3 9 Creating and Assignin...

Page 113: ...ch the traffic entered the switch HP Switch config show config Startup configuration J9573A Configuration Editor Created on release KA 15 03 Ver 01 00 01 hostname HP Switch connection rate filter sensitivity high ip access list connection rate filter 17 server ignore ip 15 45 50 17 0 0 0 0 exit module 1 type J9573x ip routing snmp server community public Unrestricted snmp server host 15 45 200 75 ...

Page 114: ... in any connection rate ACL you configure For example assume that a port is configured with a connection rate policy and is in a VLAN configured with a connection rate ACL If there is no match between an incoming packet and the ACE criteria in the ACL then the implicit filteripany sends the packet for screening by the connection rate policy configured on that port To preempt the implicit filter ip...

Page 115: ...ent by allowing you to control access from a master database in a single server You can use up to three RADIUS servers to provide backups in case access to the primary server fails It also means the same credentials can be used for authentication regardless of which switch or switch port is the current access point into the LAN On a port configured for Web or MAC Authentication the switch operates...

Page 116: ...e switch forwards the device s MAC address to the RADIUS server for authentication The RADIUS server uses the device MAC address as the username and password and grants or denies network access in the same way that it does for clients capable of interactive logons The process does not use either a client device configuration or a logon session MAC authentication is well suited for clients that are...

Page 117: ...enabled for MAC authentication if Web and MAC authentication are both enabled on the port Hitless reauthentication must be of the same type MAC that was used for the initial authentication Non hitless reauthentication can be of any type The remaining Web MAC functionality including interactions with 802 1X remains the same Web and MAC authentication can be used for different clients on the same po...

Page 118: ...entication on a port RADIUS Based Authentication In Web and MAC authentication you use a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the ...

Page 119: ...i rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password The default User Login screen is shown in Figure 4 1 Figure 4 1 Example of Default User Login Screen When a client connects to the switch it sends a DHCP request to receive an IP address to connect to the network To avoid address conflicts in a...

Page 120: ...sful login a client may be redirected to a URL if you specify a URL value redirect url when you configure web authentication Figure 4 3 Authentication Completed The assigned VLAN is determined in order of priority as follows 1 If there is a RADIUS assigned VLAN then for the duration of the client session the port belongs to this VLAN and temporarily drops all other VLAN memberships 2 If there is n...

Page 121: ... before timing out The max requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails The switch waits a specified amount of time quiet period before processing any new authentication requests from the client Network administrators may assign unauthenticated clients to a specific static untagged VLAN unauth vid to provide access ...

Page 122: ... port to another and client moves have not been enabled addr moves on the ports the session ends and the client must reauthenticate for network access At the end of the session the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid crede...

Page 123: ...s or username and password before being allowed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified web page presented to an authorized client following W...

Page 124: ...her precedent port access management feature is not enabled on the port For example be sure that Port Security is disabled on a port before configuring the port for Web or MAC Authentication If Port Security is enabled on the port this misconfiguration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments ...

Page 125: ... or MAC based authentication must be statically configured VLANs on the switch Also if you configure one or both of these options any services you want clients in either category to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an a...

Page 126: ...ure that client authenticated edge ports get blocked when loops occur you should enable loop protection on those ports For more information refer to Loop Protection in the chapter titled Multiple Instance Spanning Tree Operation in the Advanced Traffic Manage ment Guide for your switch Setup Procedure for Web MAC Authentication Before You Configure Web MAC Authentication 1 Configure a local userna...

Page 127: ...tcanjoinan Authorized VLAN forthedurationoftheclientsession ifyouchoosetoconfigure one This must be a port based statically configured VLAN on the switch c If there is neither a RADIUS assigned VLAN or an Authorized VLAN for an authenticated client session on a port then the port s VLAN membership remains unchanged during authenticated client ses sions In this case configure the port for the VLAN ...

Page 128: ... server and configure the server Refer to the documentation provided with your RADIUS application and include the following in the policy for each client or client device The CHAP RADIUS authentication method An encryption key One of the following If you are configuring Web based authentication include the user name and password for each authorized client If you are configuring MAC based authentic...

Page 129: ...vice use the base MAC address assigned to the device and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch Note that the switch applies a single MAC address to all VLANs configured in the switch Thus for a given switch the MAC address is the same for all VLANs configured on the switch Refer to the chapter titled Static Virtual LANs VLANs i...

Page 130: ...US server addresses configured in the switch include a server specific encryption key The tilde character is allowed in the string for example radius server key hp network It is not backward compatible the character is lost if you use a software version that does not support the character Default Null Syntax radius server host ip address key server specific key string no radius server host ip addr...

Page 131: ...re 4 5 Example of Configuring a Switch To Access a RADIUS Server HP Switch config radius server host 192 168 32 11 HP Switch config radius server host 192 168 32 11 key 1A7rd HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Attempts 3 Global Encryption Key Auth Acct Server IP Addr Port Port Encryption Key 192 168 32 11 1812 1813 1...

Page 132: ...US server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Optional To use SSL encryption for web authentication login configure and enable SSL on the switch 7 Enable web authentication on the switch ports you want to use 8 Configure the optional settings that you want to use for web authentica...

Page 133: ...uthentication works properly on the ports you have configured for port access using Web Authentication Note Client web browsers might not use a proxy server to access the network Configuration Commands for Web Authentication Command Page Configuration Level aaa port access port list controlled directions both in 4 20 no aaa port access web based port list 4 22 auth vid 4 22 clear statistics 4 22 c...

Page 134: ...gured for web authentication before authentication occurs Out going traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication Prerequisites As implemented in 802 1X authentica tion the disabling of incoming traffic and transmis sion of outgoing traffic on a web authenticated egress port in an unauthenticated state using the aaa port access con...

Page 135: ...e Wake on LAN feature is used by network administrators to remotely power on a sleeping workstation for example during early morning hours to perform routine maintenance operations such as patch management and software updates Using the aaa port access controlled directions in command you can enable the transmission of Wake on LAN traffic on unauthenticated egress ports that are configured for any...

Page 136: ...Default 0 Syntax aaa port access web based clear statistics Clears resets to 0 all counters used to monitor the CEI HTTP Web Auth control traffic generated in web authentication session To display Web Auth traffic statistics enter the show port access web based statis tics command Syntax aaa port access web based port list client limit 1 256 Specifies the maximum number of authenticated cli ents t...

Page 137: ...a port access web based ewa server ipv4 addr hostname page path Configures a connection with the web server at the specified IPv4 address ipv4 addr or host name ipv4 addr on which customized login web pages used for Web Authentication are stored A maximum of 3 web servers may be configured on the switch The optional page path parameter defines the direc tory path on the server where all customized...

Page 138: ...od interval the client is returned to its pre authentication state Default 300 seconds Syntax aaa port access web based port list max requests 1 10 Specifies the number of authentication attempts that must time out before authentication fails Default 2 Syntax aaa port access web based port list max retries 1 10 Specifies the number of the number of times a client can enter their user name and pass...

Page 139: ... after a successful login Any valid fully formed URL may be used for example http welcome server welcome htm or http 192 22 17 5 HP recommends that you provide a redirect URL when using Web Authentication Note The redirect url command accepts only the first 103 characters of the allowed 127 characters Use the no form of the command to remove a specified redirect URL Default There is no default URL...

Page 140: ...r each port includes Number of authorized and unauthorized clients VLAN ID number of the untagged VLAN used If the switch supports MAC based untagged VLANs MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions If tagged VLANs statically configured or RADIUS assigned are used Yes or No If client specific per port CoS Class of Service values are config...

Page 141: ...nt on the switch The IP address displayed is taken from the DHCP binding table learned through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If a web authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding ...

Page 142: ... for a client s IP address n a IPv6 a web authenticated client uses an IPv6 address n a no info DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table HP Switch config show port access web based clients 1 detailed Port Access Web Based Client Status Detailed Client Base Details Port 1 Session Status authenticated Session Time sec 6 Username webuse...

Page 143: ...ections setting for transmitting Wake on LAN traffic on egress ports Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0 the default VLAN ID is used unless overridden by a RADIUS assigned value HP Switch config show port access web based config Port Access Web Based Configuration DHCP Base Address 192 168 0 0 DHCP Subnet Mask 255 255 255 0 DHCP Lease Length 10...

Page 144: ...tailed information on the currently config ured Web Authentication settings for specified ports HP Switch config show port access web based config 1 detailed Port Access Web Based Detailed Configuration Port 1 Web based enabled Yes Client Limit 1 Client Moves No Logoff Period 300 Re Auth Period 0 Unauth VLAN ID 0 Auth VLAN ID 0 Max Requests 3 Quiet Period 60 Server Timeout 30 Max Retries 3 SSL Ena...

Page 145: ...oreauthenticationlogin fails Length of time quiet period supported between authentication login attempts HP Switch config show port access web based config auth server Port Access Web Based Configuration Client Client Logoff Re Auth Max Quiet Server Port Enabled Limit Moves Period Period Req Period Timeout 1 Yes 1 No 300 0 3 60 30 2 No 1 No 300 0 3 60 30 Syntax show port access web based config po...

Page 146: ...Incorporate CSS styles consistent with the appearance of your network Implementing Customized Web Auth Pages To implement enhanced Web Authentication pages you need to Configure and start a web server on your local network Customize the HTML template files and make them accessible to the web server Configure the switch to display the customized files by using the aaa port access web based ewa serv...

Page 147: ... Customizing HTML Templates When you customize an HTML template follow these guidelines Do not change the name of any of the HTML files index html accept html and so on Some template pages use Embedded Switch Includes ESIs or Active Server Pages These should not be modified when customizing HTML files ESIs behave as follows i A client s web browser sends a request for an HTML file The switch passe...

Page 148: ...gin Page index html Figure 4 14 User Login Page The index html file is the first login page displayed in which a client requesting access to the network enters a username and password In the index html Template file you can customize any part of the source code except for the form that processes the username and password entered by a client File Name Page index html 4 34 accept html 4 36 authen ht...

Page 149: ...mplate index html html head title User Login title head body h1 User Login h1 p In order to access this network you must first log in p form action webauth loginprocess method POST table tr td Username td td input name user type text td tr tr td Password td td input name pass type password td tr tr td td td input type submit value Submit td tr table form body html ...

Page 150: ...ure the VLAN used by authorized clients specify a VLAN ID with the aaa port access web based auth vid command parameter when you enable Web Authentication Theaccept htmlfile containsthe following ESIs which shouldnot be modified The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an authenticated client while the client renews its IP address and gains...

Page 151: ...title Access Granted title The following line is required to automatically redirect meta http equiv refresh content GETWAUTHREDIRECTTIME URL GETWAUTHREDIRECTURL head body h1 Access Granted h1 The ESI tag below will be replaced with the time in seconds until the page redirects p You have been authenticated Please wait GETWAUTHREDIRECTTIME second while network connection refreshes itself p body html...

Page 152: ...ent login and is refreshed while user credentials are checked and verified Figure 4 19 HTML Code for Authenticating Page Template HP Switch Web Authentication Template authen html html head title Authenticating title The following line is always required meta http equiv refresh content 2 URL webauth statusprocess head body h1 Authenticating h1 p Please wait while your credentials are verified p bo...

Page 153: ...ed client is assigned to the VLAN configured for unauthorized client sessions You can configure the VLAN used by unauthor ized clients with the aaa port access web based unauth vid command when you enable Web Authentication The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client while the client renews its IP address and gains ac...

Page 154: ... html html head title Invalid Credentials title The following line is required to automatically redirect meta http equiv refresh content GETWAUTHREDIRECTTIME URL GETWAUTHREDIRECTURL head body h1 Invalid Credentials h1 p Your credentials were not accepted However you have been granted gues account status Please wait GETWAUTHREDIRECCTTIME seconds while network connection refreshes itself p body html...

Page 155: ...e time period in seconds that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port access web based server timeout command when you enable Web Authentication Figure 4 23 HTML Code for Timeout Page Template HP Switch Web Authentication Template timeout html html head title Timeout title head body h1 Timeout h1 p Your credentials could not be ver...

Page 156: ... username and or password and is given another opportunity to log in The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials You can configure the number of times that a client can enter their user name and password before authentication fails with the aaa port access web based max retries commands when you enable Web Authent...

Page 157: ...ation Template retry_login html html head title Invalid Credentials title The following line is required to automatically redirect the user back to the login page meta http equiv refresh content 5 URL EWA index html head body h1 Invalid Credentials h1 p Your credentials were not accepted You have GETWAUTHRETRIESLEFT retries left Please try again p body html ...

Page 158: ...ed to an SSL server to enter credentials for Web Authentication If you have enabled SSL on the switch you can enable secure SSL based Web Authentication by entering the aaa port access web based ssl login command when you enable Web Authentication The GETWAUTHSSLSRV ESI inserts the URL that redirects a client to an SSL enabled port on a server to verify the client s username and password This ESI ...

Page 159: ... sslredirect html html head title User Login SSL Redirect title meta http equiv refresh content 5 URL https GETWAUTHSSLSRV EWA index html head body h1 User Login SSL Redirect h1 p In order to access this network you must first log in p p Redirecting in 5 seconds to secure page for you to enter credentials or href https GETWAUTHSSLSRV EWA index html click here a p body html ...

Page 160: ...nt login fails and no VLAN is configured for unauthorized clients The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login To specify the time period before a new authentication request can be received by the switch configure a value for the aaa port access web based quiet period command when you enable Web Authentication This ESI should ...

Page 161: ...ct_novlan html html head title Access Denied title The line below is required to automatically redirect the user back to the login page meta http equiv refresh content GETWAUTHQUIETTIME URL EWA index html head body h1 Access Denied h1 p Your credentials were not accepted Please wait GETWAUTHQUIETTIME seconds to retry You will be redirected automatically to login page p body html ...

Page 162: ...t assignments have been made 3 Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encryption key to access the RADIUS server 5 Configure the switch for MAC Auth a Configure MAC Authentication on the switch ports you want to ...

Page 163: ... implementing the global MAC authentication password option it is important that the user database on the RADIUS server has the MAC authen tication password as the password for each device performing MAC authen tication Use this command to configure the global MAC authentication password Command Page Configuration Level aaa port access mac based addr format 4 49 no aaa port access mac based passwo...

Page 164: ... config Port Access MAC Based Configuration MAC Address Format no delimiter Password secretMAC1 Unauth Redirect Configuration URL Unauth Redirect Client Timeout sec 1800 Unauth Redirect Restrictive Filter Disabled Total Unauth Redirect Client Count 0 Client Client Logoff Re Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir 1 No 1 No 300 0 0 0 both 2 No 1 No 300 0 0 ...

Page 165: ...addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format multi colon specifies an aa bb cc dd ee ff format no delimiter uppercase specifies an AABBCCDDEEFF format single dash uppercase specifies an AABBCC DDEEFF format multi dash uppercase specifies an AA BB CC DD...

Page 166: ... and when one does occur the user will be forced to re authenticate At least two ports from port s and to port s must be specified Use the no form of the command to disable MAC address moves between ports under MAC Auth control Default disabled no moves allowed Syntax aaa port access mac based e port list auth vid vid no aaa port access mac based e port list auth vid Specifies the VLAN to use for ...

Page 167: ...ated while the reauthentication occurs When set to 0 reauthentication is disabled Default 300 seconds Syntax aaa port access mac based e port list reauthenticate Forces a reauthentication of all attached clients on the port Syntax aaa port access mac based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing...

Page 168: ...ed Message on the Switch Syntax no aaa port access web based access denied message access denied str radius response Specifies the text message ASCII string shown on the web page after an unsuccessful login attempt The message must be enclosed in quotes The no form of the command means that no message is displayed upon failure to authenticate Default The internal web page is used No message will b...

Page 169: ...ge Custom Please contact your system administrator to obtain authentication privileges Client Client Logoff Re auth Unauth Auth Ctrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir A1 Yes 1 No 300 60 1 2 both A2 Yes 18 No 999999999 999999999 0 0 both A3 Yes 22 No 999999999 999999999 4096 4096 both HP Switch config show port access web based config Port Access Web based Configuration DHC...

Page 170: ...s an example of the denied access message that appears when unauth vid is configured Figure 4 34 Example of Web Page with Configured Access Denied Message When unauth vid is Configured Figure 4 35 shows an example of a web page displaying the access denied message when un auth vid is not configured Invalid Credentials Your credentials were not accepted You may have limited network access Please wa...

Page 171: ...ed access denied message Invalid Credentials Your credentials were not accepted Please wait 96 seconds to retry You will be redirected automatically to the login page Unauthorized access to this network is prohibited Access to this network requires prior authorization from the System Administrator Please obtain the credentials prior to logging in Please contact your system administrator to obtain ...

Page 172: ...FAULT_VLAN untagged 1 14 19 24 ip address dhcp bootp no untagged 15 18 exit vlan 100 name auth vid untagged 15 18 ip address dhcp bootp exit radius server host 10 0 13 118 key secret aaa authentication port access eap radius snmp server community public Unrestricted aaa port access web based 5 aaa port access web based 5 auth vid 100 aaa port access web based 5 unauth vid 1 aaa port access web bas...

Page 173: ... authentication process HP Switch config show running config Running configuration J9573A Configuration Editor Created on release KA 15 03 3003 Ver 01 00 01 hostname HP Switch module 1 type J9573x web management ssl qos dscp map 000000 priority 0 no stack auto join vlan 1 name DEFAULT_VLAN untagged 1 14 19 24 ip address dhcp bootp no untagged 15 18 exit vlan 100 name auth vid untagged 15 18 ip add...

Page 174: ...sed for example http 14 29 16 192 80 myServer html or https company com myServer html Syntax no aaa port access mac based unauth redirect Configure the HTTP redirect registration server feature redirect URL str Enable HTTP redirect registration server feature by configuring the URL of the registration page An entry can have either an IP address or a DNS name Only one server can be configured Note ...

Page 175: ... page The switch takes this request and responds to the client browser with an HTTP redirect to the configured URL The client MAC address and interface port are appended as HTTP parameters 4 Before returning the initial registration page to the client the switch enables NAT so that all subsequent requests will go to the web server directly The initial HTML page is returned to the switch and then p...

Page 176: ...eb page Switch takes request and redirects to web server HTTP request for initial registration page includes client MAC client port switch IP or MAC Initial registration page returned Switch enables NAT so all subsequent requests go directly to web server Initial registration page Switch filters all traffic only forwards HTTP traffic destined to configured web server RADIUSisupdatedwithclient s us...

Page 177: ...ys the HTTP redirect configuration Figure 4 39 Example of HTTP Redirect Configuration Reauthenticating a MAC Auth Client Using SNMP The MIB variable hpicfUsrAuthMacAuthClientReauthentica teEntry in the hpicfUsrAuthMIB provides the capability to reauthenticate a specific MAC auth client on a port The MAC address and port are required for SNMP reauthentication HP Switch config show port access mac b...

Page 178: ...le HP Switch config aaa port access mac based unauth redirect https serverA com 124 registration server reg html Unconfiguring a MAC Auth Registration Server Each configured registration server s URL must be removed by specifying it exactly for example HP Switch config no aaa port access mac based unauth redirect https serverA com 124 registration server reg html Operating Notes for HTTP Redirect ...

Page 179: ... Number of authorized and unauthorized clients VLAN ID number of the untagged VLAN used If the switch supports MAC based untagged VLANs MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions If tagged VLANs statically configured or RADIUS assigned are used Yes or No If client specific per port CoS Class of Service values are configured Yes or No or th...

Page 180: ...ddress for each MAC authenticated client on the switch The IP address displayed is taken from the DHCP binding table learned through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If a MAC authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for ...

Page 181: ...ed for a client s IP address n a IPv6 a web authenticated client uses an IPv6 address n a no info DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table HP Switch config show port access mac based clients 1 detailed Port Access MAC Based Client Status Detailed Client Base Details Port 1 Session Status authenticated Session Time sec 6 Username clie...

Page 182: ...es or No Controlled directions setting for transmitting Wake on LAN traffic on egress ports Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0 the default VLAN ID is used unless overridden by a RADIUS assigned value HP Switch config show port access mac based config Port Access MAC Based Configuration MAC Address Format no delimiter Allow RADIUS assigned dyna...

Page 183: ...st detailed Displays more detailed information on the currently config ured MAC Authentication settings for specified ports HP Switch config show port access mac based config 1 detailed Port Access MAC Based Detailed Configuration Port 1 Web based enabled Yes Client Limit 1 Client Moves No Logoff Period 300 Re Auth Period 0 Unauth VLAN ID 0 Auth VLAN ID 0 Max Requests 3 Quiet Period 60 Server Time...

Page 184: ...ts or specified ports and includes RADIUS server specific settings such as Timeout waiting period Numberoftimeoutssupportedbeforeauthenticationlogin fails Length of time quiet period supported between authentication login attempts HP Switch config show port access mac based config auth server Port Access MAC Based Configuration Client Client Logoff Re Auth Max Quiet Server Port Enabled Limit Moves...

Page 185: ...iculties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applied to the port An a...

Page 186: ...4 72 Web and MAC Authentication Client Status ...

Page 187: ...a page 5 8 view the switch s TACACS server contact configuration n a page 5 9 configure the switch s authentication methods disabled page 5 10 configure the switch to contact TACACS server s disabled page 5 17 B Switch Configured for TACACS Operation Terminal A Directly Accessing the Switch Via Switch s Console Port Terminal B Remotely Accessing The Switch Via Telnet A Primary TACACS Server The sw...

Page 188: ... authentication services Some other terms you may see in literature describing TACACS operation are communication server remote access server or terminal server These terms apply to a switch when TACACS is enabled on the switch that is when the switch is TACACS aware TACACS Server The server or management station configured as an access control server for TACACS enabled devices To use TACACS with ...

Page 189: ...e on local authentication refer to chapter 2 Configuring Username and Password Security TACACS Authentication This method enables you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central se...

Page 190: ...nstallation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect WebAgent access Refer to Controlling WebAgent Access When Using TACACS Authentication on page 5 28 General Authentication Setup Procedure It is important to test the TACACS service before fully implementing it Depending on the process and par...

Page 191: ...ator read only privilege level and the sets for logging in at the Manager read write privilege level The IP address es of the TACACS server s youwanttheswitchtouse for authentication If you will use more than one server determine which server is your first choice for authentication services The encryption key if any for allowingtheswitchtocommunicate with the server You can use either aglobalkeyor...

Page 192: ...correct local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method Caution You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be a...

Page 193: ...ing data that could affect the console access 9 When you are confident that TACACS access through both Telnet and the switch s console operates properly use the write memory command to save the switch s running config file to flash Configuring TACACS on the Switch Before You Begin If you are new to TACACS authentication HP recommends that you read the General Authentication Setup Procedure on page...

Page 194: ...of access Syntax show authentication This example shows the default authentication configuration Figure 5 2 Example Listing of the Switch s Authentication Configuration Command Page show authentication 5 8 show tacacs 5 9 aaa authentication 5 10 through 5 16 console Telnet num attempts 1 10 tacacs server 5 17 host ip addr 5 17 key 5 22 timeout 1 255 5 23 Configuration for login and enable access t...

Page 195: ... TACACS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following Figure 5 3 Example of the Switch s TACACS Configuration Listing First Choice TACACS Server Second Choice TACACS Ser...

Page 196: ...Option for Login When using TACACS to control user access to the switch you must first login with your username at the Operator privilege level using the password for Operator privileges and then login again with the same username but using the Manger password to obtain Manager privileges You can avoid this double login process by entering the privilege mode option with the aaa authentication logi...

Page 197: ...eturned to the switch by the TACACS server Default Single login disabled local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS server radius Authenticates with a password and other data configured on a RADIUS server local none If the pr...

Page 198: ...cation for the access method being configured local Use the username password pair configured locally in the switch for the privilege level being configured tacacs Use a TACACS server local or none none n a Specifies the secondary backup type of authentication being configured local Theusername passwordpairconfiguredlocallyintheswitch for the privilege level being configured none No secondary type...

Page 199: ...s set to 15 as shown in Figure 5 4 Privileges are represented by the numbers 0 through 15 with zero allowing only Operator privileges and requiring two logins and 15 representing root privileges The root privilege level is the only level that will allow Manager level access on the switch Figure 5 4 Advanced TACACS Settings Section of the TACACS Server User Setup Then scroll down to the section tha...

Page 200: ...Server User Setup As shown in the next table login and enable access is always available locally through a direct terminal connection to the switch s console port However for Telnet access you can configure TACACS to deny access if a TACACS server goes down or otherwise becomes unavailable to the switch ...

Page 201: ...hentication while configuring Enable Primary for TACACS authentication is not recommended as it defeats the purpose of using the TACACS authentication If you want Enable Primary log in attempts to go to a TACACS server then you should configure both Login Primary and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local authentication Access Method and Privilege Le...

Page 202: ...ry using TACACS server Secondary using Local HP Switch config aaa authentication console enable tacacs local Telnet Login Operator or Read Only Access Primary using TACACS server Secondary using Local HP Switch config aaa authentication Telnet login tacacs local Telnet Enable Manager or Read Write Access Primary using TACACS server Secondary using Local HP Switch config aaa authentication telnet e...

Page 203: ...erent encryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the...

Page 204: ...r X will block authentication support from server X Syntax tacacs server host ip addr key key string oobm Adds a TACACS server and optionally assigns a server specific encryption key If the switch is configured to access multiple TACACS servers having different encryp tion keys you can configure the switch to use different encryption keys for different TACACS servers no tacacs server host ip addr ...

Page 205: ...ails then the switch tries the third address if any See figure 5 3 Example of the Switch s TACACS Configuration Listing on 5 9 The priority first choice second choice and third choice of a TACACS server in the switch s TACACS configuration depends on the order in which you enter the server IP addresses 1 When there are no TACACS servers configured entering a server IP address makes that server the...

Page 206: ...ed in the TACACS server s that the switch will access for authentication This option is subordinate to any per server encryption keys you assign and applies only to accessing TACACS servers for which you have not given the switch a per server key See the host ip addr key key string entry at the beginning of this table You can configure a TACACS encryption key that includes a tilde as part of the k...

Page 207: ...host ip addr command to delete both servers then use tacacs serverhost ip addr to re enter the 10 server first then the 15 server The servers would then be listed with the new first choice server that is HP Switch config show running config Running configuration J9573A Configuration Editor Created on release KA 15 03 3003 Ver 01 00 01 hostname HP Switch module 1 type J9573x vlan 1 name DEFAULT_VLA...

Page 208: ...ttempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 5 26 To configure north01 as a global encryption key HP Switch config tacacs server key north01 To configure north01 as a per server encryption key HP Switch config tacacs server host 10 28 227 63 key north01 An encryption...

Page 209: ...keystring The keystring parameter is the encryption key in clear text Note The show tacacs command lists the global encryption key if configured However to view any configured per server encryption keys you must use show config or show config running if you have made TACACS configuration changes without executing write mem Configuring the Timeout Period The timeout period specifies how long the sw...

Page 210: ...not receive a response from the first choice TACACS server it attempts to query a secondary server If the switch does not receive a response from any TACACS server then it uses its own local username password pairs to authenti cate the logon request See Local Authentication Process on page 5 25 If a TACACS server recognizes the switch it forwards a user name prompt to the requesting terminal via t...

Page 211: ...thout a successful TACACS authentication the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again Local Authentication Process When the switch is configured to use TACACS it reverts to local authentica tion only if one of these two conditions exists Local is the authentication option for the access method being used TACACS is the p...

Page 212: ...l access you will see a prompt for both a local username and a local password during local authen tication Using the Encryption Key General Operation When used the encryption key sometimes termed key secret key or secret helpstopreventunauthorizedintruders onthenetworkfromreading username and password information in TACACS packets moving between the switch and a TACACS server At the TACACS server ...

Page 213: ...vers use server specific keys in the switch If you configure both a global key and one or more per server keys the per server keys will override the global key for the specified servers For example you would use the next command to configure a global encryp tion key in the switch to match a key entered as north40campus in two target TACACS servers That is both servers use the same key for your swi...

Page 214: ... the following Configure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow WebAgent access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Disable WebAgent access to the switch by going to the System In...

Page 215: ...ation Invalid password The system does not recognize the username or the password or both Depending on the authentication method tacacs or local either the TACACS server application did not recognize the username password pair orthe username password pair did not match the username password pair configured in the switch No Tacacs servers responding TheswitchhasnotbeenabletocontactanydesignatedTACA...

Page 216: ...excludes because independent of TACACS the switch already denies access to such stations When TACACS is not enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password without also setting a local Manager password does not protect the switch from manager level access by unauthor ized persons When using the copy command to transfer ...

Page 217: ...users For accounting this can help you track network resource usage Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the HP switch Serial port Console Telnet SSH SFTP SCP WebAgent 8212zl 5400zl 4200vl 2800sasofsoftwareversionI 08 60 and 2600s as of software version H 08 58 switches Port Access 802 1X Feature Default Menu CLI W...

Page 218: ...pplied in a RADIUS server to support these optional RADIUS assigned attributes 802 1p CoS priority assignment to inbound traffic on the specified port s port access authentication only Per Port Rate Limiting on a port with an active link to an authenti cated client port access authentication only RADIUIS Administered Commands Authorization ThisfeatureenablesRADIUSservercontrolofanauthenticatedclie...

Page 219: ...tication protocol that supports multiple authentication mechanisms A specific authentication mechanism is known as an EAP type such as MD5 Challenge Generic Token Card and TLS Transport Level Security EXEC Session a service EXEC shell granted to the authenticated login user for doing management operations on the HP device Host See RADIUS Server NAS Network Access Server In this case a HP switch co...

Page 220: ... one and so on To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 6 67 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access type In the HP switch EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server When p...

Page 221: ...f you need to replace the default UDP destination port 1813 the switch uses for accounting requests to a specific Radius server select it before beginning the configuration process Determine whether you can use one global encryption key for all RADIUS servers or if unique keys will be required for specific servers With multiple RADIUS servers if one key applies to two or more of these servers then...

Page 222: ...s accessible for service requests Optional Determine whether the switch access level Manager or Operator for authenticated clients can be set by a Service Type value the RADIUS server includes in its authentication message to the switch Refer to 2 Enable the Optional Access Privilege Option on page 6 12 Configure RADIUS on the server s used to support authentication on the switch RADIUS Authentica...

Page 223: ...ication Authorization and Accounting Configuring the Switch for RADIUS Authentication The web authentication option for the WebAgent is available on the switches covered in this guide RADIUS Authentication Commands Page ...

Page 224: ...page 6 9 3 Configure the switch for accessing one or more RADIUS servers one primary server and up to two backup servers Note This step assumes you have already configured the RADIUS server s to support the switch Refer to the documentation provided with the RADIUS server documentation Server IP address Optional UDP destination port for authentication requests default 1812 recommended Optional UDP...

Page 225: ...ssume the server is available and then try to log on again Number of Login Attempts This is actually an aaa authentication command It controls how many times per session a RADIUS client and clients using other forms of access can try to log in with the correct username and password Default Three times per session For RADIUS accounting features refer to Accounting Services on page 6 48 1 Configure ...

Page 226: ...care Syntax aaa authentication console telnet ssh web enable login local radius web based mac based chap radius peap radius Configures RADIUS as the primary password authentication method for console Telnet SSH and or the WebAgent The default primary enable login authentication is local console telnet ssh web local none authorized Provides options for secondary authentication default none Note tha...

Page 227: ...ed local passwords on the switch but want RADIUS to protect primary Telnet and SSH access without allowing a second ary Telnet or SSH access option the switch s local passwords HP Switch config show authentication Status and Counters Authentication Information Login Attempts 3 Respect Privilege Disabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Local No...

Page 228: ...authenticated user authorized for the Manager privilege level must authenticate again to change privilege levels Using the optional login privilege mode command overrides HP Switch config aaa authentication telnet login radius none HP Switch config aaa authentication telnet enable radius none HP Switch config aaa authentication ssh login radius none HP Switch config aaa authentication ssh enable r...

Page 229: ... Prompt User 7 Operator Any Other Type Any ValueExcept 6 or 7 Access Denied This feature applies to console serial port Telnet SSH and WebAgent access to the switch It does not apply to 802 1X port access Notes While this option is enabled a Service Type value other than 6 or 7 or an unconfigured null Service Type causes the switch to deny access to the requesting client The no form of the command...

Page 230: ... servers The switch uses the first server it successfully accesses Refer to Changing the RADIUS Server Access Order on page 6 67 For switches that have a separate out of band manage ment port the oobm parameter specifies that the RADIUS traffic will go through the out of band management OOBM port auth port port number Optional Changes the UDP destination port for authenti cation requests to the sp...

Page 231: ... key key string Optional Specifies an encryption key for use during authentication oraccounting sessionswiththespecified server This key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key Note Formerly when you saved the configuration file using Xmodem or TFTP the RA...

Page 232: ...dered to be cur rent and accepted for processing A zero value means there is no time limit A non zero value indicates that the even timestamp attribute is expected as part of all Change of Authorization and Disconnect request messages If the timestamp attribute is not present the message is dropped Default 300 seconds no radius server host ip address key Use the no form of the command to remove th...

Page 233: ...is key is optional if you configure a server specific key for each RADIUS server entered in the switch Refer to 3 Configure the Switch To Access a RADIUS Server on page 6 14 Server timeout Defines the time period in seconds for authentica tion attempts If the timeout period expires before a response is received the attempt fails Server dead time Specifies the time in minutes during which the switc...

Page 234: ...utting down the session due to input errors Default 3 Range 1 10 no radius server key global key string Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key Default Null dead time 1 1440 Optional Specif...

Page 235: ...only two tries to correctly enter username and password Use the global encryption key to support the two servers that use the same key For this example assume that you did not configure these two servers with a server specific key Use a dead time of five minutes for a server that fails to respond to an authentication request Allow three seconds for request timeouts Allow two retries following a re...

Page 236: ...None Enable Enable Enable Access Task Primary Server Group Secondary Console Local None Telnet Radius None Webui Local None SSH Radius None HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 3 Retransmit Attempts 2 Global Encryption Key My Global Key 1099 Dynamic Authorization UDP Port 3799 Auth Acct DM Time Server IP Addr Port Port CoA Window E...

Page 237: ...Configuring the Switch for RADIUS Authentication on page 6 6 for more information about configuring RADIUS servers i Figure 6 8 Example of RADIUS Server Group Command Output HP Switch config radius server host 10 33 18 151 acct port 1750 key source0151 HP Switch config write mem HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Att...

Page 238: ...ot be edited The no form of the command removes the RADIUS server with the indicated IP address from the server group If that server was the last entry in the group the group is removed radius group name The group name of the RADIUS server group The name has a maximum length of 12 characters Up to five groups can be configured with a a maximum of three RADIUS servers in each group The first group ...

Page 239: ...ased port access to the switch Use peap mschapv2 when you want password verification without requiring access to a plain text pass word it is more secure Default chap radius port access local eap radius chap radius Configures local chap radius MD5 or eap radius as the primary password authentication method for port access The default primary authentication is local Refer to the documentation for y...

Page 240: ...OOBM 192 168 1 3 1812 1813 No 300 default_key No 192 168 3 3 1812 1813 No 300 grp2_key No 192 172 4 5 1812 1813 No 300 grp2_key No 192 173 6 7 1812 1813 No 300 grp2_key No 192 168 30 3 1812 1813 No 300 grp3_key No 192 172 40 5 1812 1813 No 300 grp3_key No 192 173 60 7 1812 1813 No 300 grp3_key No Group Name group2 Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 192 168 3 ...

Page 241: ...dius None Telnet Local radius None Port Access Local None Webui Local None SSH Local None Web Auth ChapRadius group3 None MAC Auth ChapRadius group3 None Enable Enable Enable Access Task Primary Server Group Secondary Console Local radius None Telnet Radius group2 None Webui Local None SSH Local None Server group information HP Switch config show accounting Status and Counters Accounting Informati...

Page 242: ...tications are not disabled when the RADIUS server is unavailable The switch initiates reauthentications of clients at the specified period and the clients must comply with the requirements for the reauthentication pro cedure exactly as is done for the authorized authentication method The table below summarizes the differences between the authorized method and the cached reauthentication method Cac...

Page 243: ...ndary method Allows reauthentications to succeed when the RADIUS server is unavailable Users already authenticated retain their currently assigned session attributes The primary methods forport access authentication are local chap radius or eap radius The primary method for web based or mac based authentica tion is chap radius The secondary methods can be none authorized or cached reauth The defau...

Page 244: ...r Web MAC authentication allows the first cached reauthentica tion and starts the cached reauth period 6 A number of cached reauthentications occur within the 900 seconds after the start of the cached reauth period in step 5 These have a period of 180 X seconds 7 The cached reauthentication period 900 seconds ends 8 The next reauthentication begins 180 seconds after the last cached reau thenticati...

Page 245: ...cation 4 The time between step 8 and step 9 is X seconds 5 The total time is 180 X 900 180 X which equals 900 2 180 X seconds Note The period of 1 to 30 seconds represented by X is not a firm time period the time can vary depending on other 802 1X and Web MAC auth parameters ...

Page 246: ...the authentication features listed above excluding usernames passwords and keys Using SNMPsets a managementdevicecanchangetheauthenticationconfiguration includingchangesto usernames passwords andkeys Operatorread write access to the authentication MIB is always denied Security Note s All usernames passwords and keys configured in the hpSwitchAuth MIB are not returned via SNMP and the response to S...

Page 247: ...he following two commands Syntax snmp server mib hpswitchauthmib excluded included included Enables manager level SNMP read write access to the switch s authentication configuration hpSwitchAuth MIB excluded Disables manager level SNMP read write access to the switch s authentication configuration hpSwitchAuth MIB Default included Syntax show snmp server The output for this command has been enhanc...

Page 248: ..._____ SNMP Authentication Extended Password change Enabled Login failures Enabled Port Security Enabled Authorization Server Contact Enabled DHCP Snooping Enabled Dynamic ARP Protection Enabled Dynamic IP Lockdown Enabled Address Community Events Type Retry Timeout 15 255 131 57 public None trap 3 15 192 169 1 106 public None trap 3 15 15 255 135 68 public None trap 3 15 15 255 135 235 public None...

Page 249: ...w the Current Authentication MIB Access State HP Switch config show run Running configuration J9573A Configuration Editor Created on release KA 15 03 Ver 01 00 01 hostname HP Switch ip default gateway 10 10 24 55 vlan 1 name DEFAULT_VLAN untagged 1 24 ip address 10 10 24 100 255 255 255 0 exit snmp server community public Operator snmp server mib hpSwitchAuthMIB excluded password manager Indicates...

Page 250: ...t the requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level of th...

Page 251: ...onfigure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow WebAgent access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Use one of the following methods to disable WebAgent access to the switch via h...

Page 252: ...the services for a user by enabling AAA RADIUS authorization The NAS uses the information set up on the RADIUS server to control the user s access to CLI commands The authorization type implemented on the switches covered in this guide is the commands method This method explicitly specifies on the RADIUS server which commands are allowed on the client device for authenticated users This is done on...

Page 253: ... which indicates whether the user has permission to execute the commands in the list See Configuring the RADIUS Server on page 6 38 After the Access Accept packet is deliver the command list resides on the switch Any changes to the user s command list on the RADIUS server are not seen until the user is authenticated again Syntax no aaa authorization commands radius none Configures authorization fo...

Page 254: ... denied execution by the user The commands are delimited by semi colons and must be between 1 and 249 characters in length Multiple instances of this attribute may be present in Access Accept packets A single instance may be present in Accounting Request packets HP Command Exception A flag that specifies whether the commands indicated by the HP Command String attribute are permitted or denied to t...

Page 255: ...ticated user is allowed to execute all commands available on the switch Not present PermitList DenyOthers 0 Authenticated user can only execute aminimalsetofcommands thosethat are available by default to any user Commands List DenyList PermitOthers 1 Authenticated user may execute all commands except those in the Commands list Commands List PermitList DenyOthers 0 Authenticated user can execute on...

Page 256: ...ictionary file for example hp ini containing the HP VSA definitions as shown in the example below User Defined Vendor The Name and IETF vendor code and any VSAs MUST be unique One or more VSAs named max 255 Each named VSA requires a definition section Types are STRING INTEGER IPADDR The profile specifies usage IN for accounting OUT for authorization MULTI if more than a single instance is allowed ...

Page 257: ...e sure regedit is not running as it can prevent registry backup restore operations Are you sure you want to proceed Y or N y Parsing hp ini for addition at UDV slot 0 Stopping any running services Creating backup of current config Adding Vendor HP added as RADIUS HP Done Checking new configuration New configuration OK Re starting stopped services 4 Start the registry editor regedit and browse to H...

Page 258: ...face Configuration Group Setup User Setup To enable the processing of the HP Command String VSA for RADIUS accounting 1 Select System Configuration 2 Select Logging 3 Select CSV RADIUS Accounting In the Select Columns to Log section add the HP Command String attribute to the Logged Attributes list 4 Select Submit 5 Select Network Configuration In the AAA Clients section select an entry in the AAA ...

Page 259: ...y dictionary hp to that location Open the existing dictionary file and add this entry INCLUDE dictionary hp 4 You can now use HP VSAs with other attributes when configuring user entries dictionary hp As posted to the list by User user_email Version Id dictionary hp v 1 0 2006 02 23 17 07 07 VENDOR Hp 11 HP Extensions ATTRIBUTE Hp Command String 2 string Hp ATTRIBUTE Hp Command Exception 3 integer ...

Page 260: ... running all clients are on the same untagged VLAN If the RADIUS server subsequently authenticates a new client but attempts to re assign the port to a different untagged VLAN than the one already in use for the previously existing authenticated client sessions the connection for the new client will fail Tagged and Untagged VLAN Attributes When you configure a user profile on a RADIUS server to as...

Page 261: ...ally reconfigure authentication parameters MS RAS Vendor RFC 2548 Allows HP switches to inform a Micro soft RADIUS server that the switches are from HP Networking This feature assists the RADIUS server in its network configuration HP capability advert AnHPproprietaryRADIUSattributethatallows a switch to advertise its current capabilities to the RADIUS server for port based MAC Web or 802 1X authen...

Page 262: ...on The Change of Autho rizationattributeprovidesthemechanismtodynamicallyupdateanactive client session with a new user policy that is sent in RADIUS packets See figures 6 16 and 6 17 See 3 Configure the Switch To Access a RADIUS Server on page 6 14 for configuration commands for dynamic authoriza tion Figure 6 16 Example of Output for Dynamic Authorization Configuration HP Switch config show radiu...

Page 263: ...formation Authorization Client IP Address 154 23 45 111 Unknown PKT Types Received 0 Disc Reqs 2 CoA Reqs 1 Disc Reqs Authorize Only 0 CoA Reqs Authorize Only 0 Disc ACKs 2 CoA ACKs 1 Disc NAKs 0 CoA NAKs 0 Disc NAKs Authorize Only 0 CoA NAKs Authorize Only 0 Disc NAKs No Ses Found 0 CoA NAKs No Ses Found 0 Disc Reqs Ses Removed 0 CoA Reqs Ses Changed 0 Disc Reqs Malformed 0 CoA Reqs Malformed 0 D...

Page 264: ...ounting Provides records containing the information listed below when system events occur on the switch including system reset system boot and enabling or disabling of system accounting Acct Session Id Acct Status Type Acct Terminate Cause Acct Authentic Acct Delay Time Acct Input Packets Acct Output Packets Acct Input Octets Nas Port Acct Output Octets Acct Session Time User Name Service Type NAS...

Page 265: ...ch does not learn the IP address after a minute it sends the accounting request packet to the RADIUS server without the Framed IP Address attribute If the IP address is learned at a later time it will be included in the next accounting request packet sent The switch forwards the accounting information it collects to the designated RADIUS server where the information is formatted stored and managed...

Page 266: ... in the same management session the default same Acct Session ID for all accounting service types used in the same management session Unique Acct Session ID Operation In the Unique mode the default the various service types running in a management session operate as parallel independent processes Thus during a specific management session a given service type has the same Acct Session ID for all ac...

Page 267: ...Name fred NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 NAS Port Type Virtual Calling Station Id 172 22 17 101 HP Command String logout Acct Delay Time 0 Acct Session Id 003300000008 Acct Status Type Stop Service Type NAS Prompt User Acct Authentic RADIUS NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 User Name fred Calling Station Id 172 22 17 101 Acct Terminate Cause User Request ...

Page 268: ...cct Status Type Stop Service Type NAS Prompt User Acct Authentic RADIUS User Name fred NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 NAS Port Type Virtual Calling Station Id 172 22 17 101 HP Command String logout Acct Delay Time 0 Acct Session Id 00330000000B Acct Status Type Stop Service Type NAS Prompt User Acct Authentic RADIUS NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 User ...

Page 269: ...y two backup The switch operates on the assumption that a server can operate in both accounting and authentication mode Refer to the documentation for your RADIUS server application Use the same radius server host command that you would use to configure RADIUS authentication Refer to 1 Configure the Switch To Access a RADIUS Server on page 6 54 RADIUS Accounting Commands Page no radius server host...

Page 270: ... and incrementing of this ID per CLI command for the Command service type Refer to Unique Acct Session ID Operation on page 6 50 Common Establishes the same Acct Session ID value for all service types including successive CLI commands in the same management session 3 Configure accounting types and the controls for sending reports to the RADIUS server Accounting types exec page 6 48 network page 6 ...

Page 271: ...d as an authentication method for one or more types of access to the switch Telnet Console etc Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration acct port port number Optional Changes the UDP destination port for accounting requests to the specified RADIUS server If you do not use this option the switch automaticall...

Page 272: ...Attempts 3 Global Encryption Key Dynamic Authorization UDP Port 3799 Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 10 33 18 151 1812 1750 No 10 source0151 No Because the radius server command includes an acct port keyword with a non default UDP port number of 1750 the switch assigns this value as the UDP accounting port Syntax aaa accounting session id unique common Opt...

Page 273: ...witch to transmit whatever accounting data it currently has when one of the above events occurs Network Use network if you want to collect accounting information on 802 1X port based access to the network by users connected to the physical ports on the switch See also Accounting Service Types on page 6 57 For information on this feature refer to the chapter titled Configuring Switch Ports as 802 1...

Page 274: ...the switch has collected for the requested accounting type network exec or system service types For the commands service type sends the Stop accounting notice after execution of each CLI command Do not wait for an acknowledgment Interim Update Applies only to the command service type and is intended for use when the optional common session ID is configured Enabling interim update in this case resu...

Page 275: ...c network and system accounting service types Refer to Accounting Controls on page 6 58 stop only Applies to all accounting service types Refer to Accounting Controls on page 6 58 interim update Applies to the commands accounting service type Refer to Accounting Controls on page 6 58 HP Switch config aaa accounting exec start stop radius HP Switch config aaa accounting system stop only radius HP S...

Page 276: ... NAS Identifier gsf_dosx_15 Acct Delay Time 5 Acct Session Id 003600000002 Acct Status Type Start Service Type NAS Prompt User Acct Authentic Local NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 Calling Station Id 0 0 0 0 Acct Delay Time 0 Acct Session Id 003600000002 Acct Status Type Interim Update Service Type NAS Prompt User Acct Authentic Local NAS IP Address 10 1 242 15 NAS Identifier ...

Page 277: ...ure 6 24 Example of Optional Accounting Update Period and Accounting Suppression on Unknown User Syntax no aaa accounting update periodic 1 525600 Sets the accounting update period for all accounting ses sions on the switch The no form disables the update function and resets the value to zero Default zero dis abled Syntax no aaa accounting suppress null username Disables accounting for unknown use...

Page 278: ... a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Accounting Services on page 6 48 HP Switch show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 10 Retransmit Attempts 2 Global Encryption Key myg10balkey Dynamic Authorization UDP Port 3799 Source IP Sel...

Page 279: ...l as a timeout A send to a different server is counted as an Accounting Request as well as a timeout Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses Bad Authenticators The number of RADIUS Accountin...

Page 280: ...this server Access Rejects The number of RADIUS Access Reject packets valid or invalid received from this server Responses The number of RADIUS packets received on the accounting port from this server Term Definition Syntax show authentication Displays the primary and secondary authentication meth ods configured for the Console Telnet Port Access 802 1X and SSH methods of accessing the switch Also...

Page 281: ...e Disabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Radius None Port Access Local None Webui Local None SSH Radius None Web Auth ChapRadius radius None MAC Auth ChapRadius radius None Enable Enable Enable Access Task Primary Server Group Secondary Console Local None Telnet Radius None Webui Local None SSH Radius None HP Switch config show radius authen...

Page 282: ...he RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch HP Switch config show accounting Status and Counters Accounting Information Interval min 5 Suppress Empty User No Sessions Identification Common Type Method Mode Server Group Network None Exec Radius Start Stop System Radius Stop On...

Page 283: ...server addresses in the list For example if you initially configure three server addresses they are listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed second in the list Thus to move a server address up in the list you must delete it from the list ensure that the position...

Page 284: ...t in the list 4 Re enter 10 10 10 1 Because the only position open is the third position this address becomes last in the list HP Switch show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Attempts 3 Global Encryption Key Dynamic Authorization UDP Port 3799 Source IP Selection Outgoing Interface Auth Acct DM Time Server IP Addr Port Port CoA Window E...

Page 285: ...ormation Deadtime min 0 Timeout secs 5 Retransmit Attempts 3 Global Encryption Key Dynamic Authorization UDP Port 3799 Source IP Selection Outgoing Interface Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 10 10 10 3 1812 1813 No 300 No 10 10 10 2 1812 1813 No 300 No 10 10 10 1 1812 1813 No 300 No Removes the 3 and 1 addresses from the RADIUS server list Inserts the 3 add...

Page 286: ...anges are always applied to the port on the authenticator switch associated with the supplicant being authenti cated Note All the changes requested by the VSAs must be valid for the switch configura tion For example if either MAC based or Web based port access is configured while 802 1X port access is in client mode a RADIUS client with a VSA to change the 802 1X port access to port based mode is ...

Page 287: ...he VSA Values range from 0 to 256 clients A zero client limit means this VSA is disabled This is an HP proprietary VSA with a value of 11 HP Port Client Limit WA This VSA temporarily alters the Web authentication client limit to the value contained in the VSA Values range from 0 to 256 clients A zero client limit means this VSA is disabled This is an HP proprietary VSA with a value of 12 HP Port A...

Page 288: ... access is in port mode If the 802 1X client limit is configured with a value from 1 32 the port access is in user mode Figure 6 34 Example of Summary Configuration Information Showing RADIUS Overridden Client Limits Syntax show port access summary radius overridden Displays summary configuration information for all ports including the ports that have client limits set by RADIUS VSAs radius overri...

Page 289: ...not supported The new VSAs are not supported in IDM and they cannot be specified in the configurations The new VSAs must be configured manually If the RADIUS server delivers a new VSA to an authenticator switch that does not understand it the Access Accept message is rejected HP Switch config show port access summary radius overridden Port Access Status Summary Port access authenticator activated ...

Page 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...

Page 291: ...e through 802 1X MAC Auth or Web Auth Clients using Web Auth must be IPv4 capable Server must support IPv4 and have an IPv4 address Service Application Standard RADIUS Attribute1 HP Vendor Specific RADIUS Attribute VSA Cos Priority per user 59 40 Ingress Rate Limiting per user 46 Egress Rate Limiting per port2 48 ACLs IPv6 and or IPv4 ACEs NAS Filter Rule per user 92 61 NAS Rules IPv6 sets IP mode...

Page 292: ...s For information on support for the above services in the HP E PCM Plus PCM application using the Identity Driven Management IDM plug in refer tothedocumentationforthese applicationsonthe HPwebsiteatwww hp com All of the RADIUS based services described in this chapter can be used without PCM or IDM support if desired ...

Page 293: ...the inbound packetsreceivedfrom a specific client authenticated on a switch port Standard Attribute used in the RADIUS server 59 This is the preferred attribute for new or updated configurations Vendor Specific Attribute used in the RADIUS server This attribute is maintained for legacy configurations HP vendor specific ID 11 VSA 40 Setting User Priority Table xxxxxxxx where x desired 802 1p priori...

Page 294: ...raffic from an authenticated client can be affected by the total bandwidth available on the client port Refer to Per Port Bandwidth Override on page 7 6 Egress Outbound Rate Limiting Per Port Assigns a RADIUS configuredbandwidth limit to the outbound traffic sentto a switch port Vendor Specific Attribute used in the RADIUS server HP vendor specific ID 11 VSA 48 string HP Setting HP RATE LIMIT band...

Page 295: ...their respective incremental values resulting in applied rates lower than the RADIUS assigned rates However others match their respective incremental values resulting in no difference between the RADIUS assigned rate limits and the applied rate limits Table 7 4 Examples of Assigned and Applied Rate Limits RADIUS Assigned Bits Per Second Rate Limit Applied Rate Limiting Increment 1 10 999 999 100 K...

Page 296: ...width and is receiving 450 000 Kbps of traffic from existing clients If a RADIUS server then authenticates a new client with an ingress rate limit of 100 000 Kbps the maximum ingress rate limit actually available for the new client is 50 000 Kbps as long as the bandwidth usage by the other clients already on the port remains at 450 000 Kbps For more on static rate limiting refer to Rate Limiting i...

Page 297: ...mit all bcast icmp mcast in kbps percent Outbound Egress Rate Limiting rate limit all bcast icmp mcast out kbps percent Appliesper port thatis toall clients on the port Uses the value assigned to the port by the most recent instance of client authentication Syntax show port access web based clients port list detail mac based clients port list detail authenticator clients port list detail If the sw...

Page 298: ... of 3 an inbound rate limit of 10 000 kbps and an outbound rate limit of 50 000 kbps then The inbound traffic from client X will be subject to a priority of 3 and inbound rate limit of 10 000 kbps Traffic from other clients using the port will not be affected by these values The combined rate limit outbound for all clients using the port will be 50 000 kbps until either all client sessions end or ...

Page 299: ...ssion for client X is still active then the port operates with an outbound rate limit of 500 kbps for both clients Figure 7 1 Example Illustrating Results of Client Authentication on Port 4 Assignment Method on Port 10 802 1p Inbound Rate Limit Outbound Rate Limit Statically Configured Values 7 100 000 kbs 100 000 kbs RADIUS assigned when client X authenticates 3 10 000 kbs 50 000 kbs Combined rat...

Page 300: ...ride Disabled Disabled No override 2 Disabled Disabled No override Disabled Disabled No override 3 1000 kbps Override 1000 kbps 50000 4 50 Override 50 50000 5 50 No override 50 No override Ports3 5haveCLI configuredinboundper port rate limits and clients with RADIUS assigned inbound per client rate limits To see the per client RADIUS settings use the command illustrated in figure 7 1 Ports 3 5 als...

Page 301: ...ontrol Lists ACLs in this manual the chapter titled IPv6 Access Control Lists ACLs in thelatest IPv6 Configuration Guide for your switch Terminology ACE See Access Control Entry below Access Control Entry ACE An ACE is a policy consisting of a packet handling action and criteria to define the packets on which to apply the action For ACE details refer to ACE Syntax in RADIUS Servers on page 7 25 Ac...

Page 302: ...P traffic from any source to any destination This statement is the implicit final statement in an ACL Dynamic ACL See RADIUS assigned ACL Extended ACL This is an IPv4 access control list that uses layer 3 criteria composed of source and destination IPv4 addresses and optionally TCP UDP port ICMP IGMP precedence or ToS criteria to determine whether there is a match with an IP packet Except for RADI...

Page 303: ... ACE The prefix length is specified in CIDR format by nn immediately following the specified SA or DA address For example if the SA prefix in an ACE is 2001 db8 127 48 then the first 48 bits in the SA of a packet being com pared to that ACE must be the same to allow a match In this case bits 49 through 128 are not compared and are termed a wildcard For the IPv4 equivalent see ACL Mask RADIUS Assig...

Page 304: ...t types and IGMP IPv4 only if you do not want their access privileges to include these capabilities Traffic Applications The switch supports RADIUS assigned ACLs for the following traffic applica tions inbound IPv4 traffic only inbound IPv4 and IPv6 traffic This feature is designed for use on the network edge to accept RADIUS assigned ACLs for Layer 3 filtering of IP traffic entering the switch fr...

Page 305: ...tion triggered the ACL assignment to the port A RADIUS assigned ACL can be applied regardless of whether IP traffic on theportisalreadybeingfilteredbyother staticACLsthatarealreadyassigned Table 7 6 lists the supported per port ACL assignment capacity Table 7 6 Simultaneous ACL Activity Supported Per Port1 ACL Type Function IPv4 IPv6 VACL Static ACL assignment to filter inbound IP traffic on a spe...

Page 306: ...ntering the switch from individual authenticated clients is most important and where clients with differing access requirements are likely to use the same port Designed for use where the filtering needs focus on static configurations covering switched IP traffic entering from multiple authenticated or unauthenticated sources VACLs or static port ACLs routed IPv4 traffic RACLs IP traffic from multi...

Page 307: ...s and standard extended and connection rate IPv4 ACLs Refer to Configuring and Applying Connection Rate ACLs on page 3 17 A given RADIUS assigned ACL operates on a port to filter onlytheIPtrafficenteringtheswitchfromtheauthenticated clientcorrespondingtothatACL anddoesnotfilterIPtraffic inboundfromotherauthenticatedclients Thetrafficsource is not a configurable setting An RACL applied to inbound t...

Page 308: ... IPv4 traffic then the ACL will implicitly deny any inbound IPv6 traffic from the authenticated client If the filter rule used for a RADIUS based ACL is the option for specifying bothIPv4 and IPv6 traffic then the ACL filter both IP traffic types according to the ACEs included in the RADIUS assigned ACL When the client session ends the switch removes the RADIUS assigned ACL from the client port No...

Page 309: ...ound on the switch 2 Plan ACLs to execute traffic policies Apply ACLs on a per client basis where individual clients need differ ent traffic policies or where each client must have a different user name password pair or will authenticate using MAC authentication Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same username password pair...

Page 310: ...spect of maintaining network security However because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IP packet transmissions they should not be relied upon for a complete security solution Operating Rules for RADIUS Assigned ACLs Relating a Client to a RADIUS Assigned ACL A RADIUS assignedACLforaparticularclientmustbe configuredintheR...

Page 311: ... Same Port Ona portconfiguredfor802 1X user based access where multiple clients are connected if a given client s authentication results in a RADIUS assigned ACL then the authentication of any other client concurrently using the port must also include a RADIUS assigned ACL Thus if a RADIUS server is configured to assign a RADIUS assigned ACL when client X authen ticates but is not configured to do...

Page 312: ...r to the docu mentation provided with the application Note This application requires a RADIUS server having an IPv4 address Clients can be dual stack IPv4 only or IPv6 only A RADIUS assigned ACL configuration in a RADIUS server includes the following elements Nas Filter Rule attributes standard and vendor specific ACL configuration entered in the server and associated with specific username passwo...

Page 313: ...efer to Set IP Mode below Set IP Mode Used with the Nas filter Rule attribute described above to provide IPv6 traffic filtering capability in an ACE HP Nas Rules IPv6 63 Vendor Specific Attribute When using the standard attribute 92 described above in a RADIUS assigned ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client one instance of this VSA must be included in the AC...

Page 314: ...HP Nas Rules IPv6 1 Nas filter Rule deny in tcp from any to 10 10 10 1 23 Nas filter Rule deny in tcp from any to 0 23 In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the any destination you must use two ACEs to specify the destination addresses For example HP Nas Rules IPv6 1 Nas filter Rule deny in tcp from any to 10 10 10 1 23 Nas filter Rule deny in tc...

Page 315: ...nded to filter inbound IPv6 traffic from an authenticated client Refer also to table 7 7 Nas Filter Rule Attribute Options on page 7 23 HP Nas filter Rule Legacy HP VSA for filtering inbound IPv4 traffic only from an authenticated client Drops inbound IPv6 traffic from the client Refer also to table 7 7 Nas Filter Rule Attribute Options on page 7 23 Must be used to enclose and identifies a complet...

Page 316: ...sed instead of either of the above options For example all of the following destinations are for IPv4 traffic HP Nas filter Rule permit in tcp from any to any 23 HP Nas filter Rule permit in ip from any to 10 10 10 1 24 HP Nas filter Rule deny in ip from any to any Specifies any IPv4 or IPv6 destination address if the ACL uses the HP Nas Rules IPv6 VSA with an integer setting of 1 Refer to table 7...

Page 317: ...fix specifies the number of leftmost bits in a packet s destination IPv6 address that must match the corresponding bits in the destination IPv6 address listed in the ACE For example a destination of FE80 1b 127 112 in the ACE means that a match occurs when an inbound packet of the designated IPv6 type from the authenticated client has a destination IPv6 address where the first 112 are FE80 1b The ...

Page 318: ... and a password of run10kFast a client having a MAC address of 08 E9 9C 4F 00 19 The ACL in this example must achieve the following permit http TCP port 80 traffic from the client to the device at 10 10 10 101 deny http TCP port 80 traffic from the client to all other devices permit all other traffic from the client to all other devices To configure the above ACL you would enter the username passw...

Page 319: ...the VSA for RADIUS Assigned IPv6 and IPv4 ACLs in a FreeRADIUS Server mobilE011 Auth Type Local User Password run10kFast Nas FILTER Rule permit in tcp from any to host 10 10 10 101 80 Nas FILTER Rule deny in tcp from any to any 80 Nas FILTER Rule permit in ip from any to any 08E99C4F0019 Auth Type Local User Password 08E99C4F0019 Nas FILTER Rule permit in tcp from any to host 10 10 10 101 80 Nas F...

Page 320: ...xample suppose that you wanted to create ACL support foraclienthaving ausernameof Admin01 anda passwordof myAuth9 The ACL in this example must achieve the following Permit http TCP port 80 traffic from the client to the device at FE80 a40 Deny http TCP port 80 traffic from the client to all other IPv6 addresses Permit http TCP port 80 traffic from the client to the device at 10 10 10 117 Deny http...

Page 321: ...filter rule permit in tcp from any to FE80 a40 80 Nas filter rule deny in tcp from any to 0 80 Nas filter rule permit in tcp from any to 10 10 10 117 80 Nas filter rule deny in tcp from any to 0 0 0 0 0 80 Nas filter rule deny in tcp from any to any 23 Nas filter rule permit in ip from any to any Client s Username 802 1X or Web Authentication Client s Password 802 1X or Web Authentication In an AC...

Page 322: ...t is 1234 you would enter the following in the server s clients conf file Figure 7 10 Example of Switch Identity Information for a FreeRADIUS Application 3 For a given client username password pair create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS users file Remember that the ACL you create to filter IPv4 traffic automatically includes animplicitdeny in ip from any to any ACE for I...

Page 323: ... above ACL you would enter the username password and ACE information shown in figure 7 11 into the FreeRADIUS users file Figure 7 11 Example of Configuring a FreeRADIUS Server To Filter IPv4 Traffic for a Client Using the Correct Username and Password Credentials User 10 Auth Type Local User Password auth7X HP Nas Rules IPv6 1 HP Nas filter Rule permit in tcp from any to 10 10 10 117 80 HP Nas fil...

Page 324: ...ny IPv6 traffic from the client assumes that HP Nas Rules IPv6 1 does not exist elsewhere in the ACL Refer to table 7 7 on page 7 23 for more on HP Nas Rules IPv6 HP Nas Filter Rule permit in ip from any to any Nas filter Rule permit in ip from any to any HP Nas Rules IPv6 2 Explicitly Denying Inbound Traffic From an Authenticated Client Any of the following three options for ending a RADIUS assig...

Page 325: ...er should be accessible to the switch and configured to support authentication requests from clients using the switch to access the network For more on RADIUS configuration refer to chapter 6 RADIUS Authentication and Accounting 2 Configure RADIUS network accounting on the switch optional aaa accounting network start stop stop only radius You can also view ACL counter hits using either of the foll...

Page 326: ...ion and operation refer to chapter 13 Configuring Port Based and User Based Access Control 802 1X in this guide MAC Authentication Option Syntax aaa port access mac based port list This command configures MAC authentication on the switch and activates this feature on the specified ports For more on MAC authentication refer to chapter 4 Web and MAC Authentica tion Web Authentication Option Syntax a...

Page 327: ...ed client is configured to filter IPv4 traffic only or both IPv4 and IPv6 traffic Refer to Table 7 7 on page 7 23 for more on this topic the explicit ACEs switch port and client MAC address for each ACL dynamically assigned by a RADIUS server as a response to client authentication If cnt counter is included in an ACE then the output includes the current number of inbound packet matches the switch ...

Page 328: ... is not enabled for the ACL assigned to the authenticated client Syntax show port access web based mac based authenticator clients port list detailed For ports in port list configured for authentication shows the details of the RADIUS assigned features listed below that are active as the result of a client authentication Ports in port list that are not configured for authentication are not listed ...

Page 329: ...N IDs VIDs of any tagged VLANs currently supporting the authen ticated connection RADIUS ACL List Lists the explicit ACEs in the ACL assigned to the port for the authenticated client Includes the ACE Hit Count matches for ACEs configured with the cnt option Refer to ACE Syntax in RADIUS Servers on page 7 25 If a RADIUS ACL for the authenticated client is not assigned to the port No Radius ACL List...

Page 330: ...Client Status Detailed Client Base Details Port 9 Session Status authenticated Session Time sec 5 Username acluser1 MAC Address 0017a4 e6d787 IP n a Access Policy Details COS Map 77777777 In Limit Kbps 1000 Untagged VLAN 10 Out Limit Kbps Not Set Tagged VLANs 20 RADIUS ACL List deny in 23 from any to 10 0 8 1 24 23 CNT Hit Count 1 permit in 1 from any to 10 0 10 1 24 CNT Hit Count 112 deny in udp ...

Page 331: ...152 153 destination unreachable packet too big time exceeded parameter problem echo request echo reply multicast listener query multicast listener reply multicast listener done router solicitation router advertisement neighbor solicitation neighbor advertisement redirect message router renumbering icmp node information query icmp node information response inverse neighbor discovery solicitation me...

Page 332: ...as been exceeded An IPv6 ACE has been received on a port and either the HP Nas Rules IPv6 attribute is missing or HP Nas Rules IPv6 2 is configured Refer to table 7 7 on page 7 23 for more on this attribute Monitoring Shared Resources Currently active RADIUS based authentication sessions including HP IDM client sessions using RADIUS assigned ACLs share internal switch resources with several other ...

Page 333: ...sbut unlikeTelnet SSHprovidesencrypted authenticated transactions The authentication types include Client public key authentication Switch SSH and user password authentication Feature Default Menu CLI WebAgent Generating a public private key pair on the switch No n a page 8 9 n a Using the switch s public key n a n a page 8 12 n a Enabling SSH Disabled n a page 8 15 n a Enabling client public key ...

Page 334: ...n shown in figure 8 1 It occurs if the switch has SSH enabled but does not have login access login public key configured to authenticate the client s key As in figure 8 1 the switch authen ticates itselfto SSH clients Users on SSH clients then authenticate themselves to the switch login and or enable levels by providing passwords stored locally on the switch or on a TACACS or RADIUS server However...

Page 335: ...te key generated by an SSH client applica tion is typically stored in a file on the client device and together with its public key counterpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Level Operator privile...

Page 336: ...entication page 8 2 then the client program must have the capability to generate or import keys Public Key Formats Any client application you use for client public key authentication with the switch must have the capability to export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Figure 8 3 Example of Public Key in PEM Encoded ASCII Format...

Page 337: ... using another SSH application b Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public key file to theswitch Theclientpublickey filecanholdupto10clientkeys This topic is covered under To Create a Client Public Key Text File on page 8 26 Switch Access Level Primary SSH Authentication Authenticate SwitchPublicKey to SSH Clients Authent...

Page 338: ...se In all cases the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none If the primary option is local the secondary option must be none Option B Primary Client public key authentication login public key page 8 25 Secondary none Note that ...

Page 339: ...onfig command Once you generate a key pair on the switch you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches The switch does not support outbound SSH sessions Thus if...

Page 340: ...cation 8 24 crypto key generate zeroize autorun key rsa cert rsa keysize ssh dsa rsa bits keysize 8 10 ip ssh 8 16 cipher cipher type 8 17 filetransfer 8 17 ip version 8 17 mac 8 18 port 1 65535 default 8 16 timeout 5 120 8 16 listen oobm data both 8 18 aaa authentication ssh login local tacacs radius public key 8 20 8 22 local none 8 20 enable tacacs radius local 8 20 local none 8 20 copy tftp pu...

Page 341: ...es this key pair along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch The host key pair is stored in the switch s flash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the SSH clients which s...

Page 342: ...ecute show ip ssh However any active SSH sessions will continue to run unless explicitly terminated with the CLI kill command To Generate or Erase the Switch s Public Private Host Key Pair Because the host key pair is stored in flash instead of the running config file it is not necessary to use write memory to save the key pair Erasing the key pair automatically disables SSH Syntax crypto key gene...

Page 343: ...plays switch s public key Displays the version 1 and version 2 views of the key See SSH Client Public Key Authentication on page 2 16 in this guide for information about public keys saved in a configuration file babble Displays hashes of the switch s public key in phonetic format See Displaying the Public Key on page 8 14 fingerprint Displays fingerprints of the switch s public key in hexadecimal ...

Page 344: ...ength of the generated host key The size of the host key is platform dependent as different switches have different amounts of processing power The size is represented by the keysize parameter and has the values shown in Table 8 2 The default value is used if keysize is not specified 3 Providing the Switch s Public Key to Clients When an SSH client contacts the switch for the first time the client...

Page 345: ... Notepad as straight ASCII text and copy the switch s public key into the file 3 Ensure that there are no changes or breaks in the text string A public key must be an unbroken ASCII string Line breaks are not allowed Changes in the line breaks will corrupt the Key For example if you are using Windows Notepad ensure that Word Wrap in the Edit menu is disabled and that the key text appears on a sing...

Page 346: ...e switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 8 7 on page 8 13 Phonetic hash Outputs the key as a relatively short series of ...

Page 347: ...of its public key for file storage and default display format 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to SSH clients Note Before enabling SSH on the switch you must generate the switc...

Page 348: ...ssible for a man in the middle attack that is for an unauthorized device to pose undetected as the switch and learn the usernames and passwords controlling access to the switch This possibility can be removed by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This require...

Page 349: ...Default All cipher types are available Use the no form of the command to disable a cipher type filetransfer Enable disable secure file transfer capability SCP and SFTP secure file transfer will not function unless SSH is also enabled ip version 4 6 4or6 Select the IP mode to run in The mode ip version 4 only accepts connections from IPv4 clients The mode ip version 6 only accepts connections from ...

Page 350: ...negotiation and authentication Default 120 seconds listen oobm data both The listen parameter is available only on switches that have a separate out of band management port Values for this parameter are oobm inbound SSH access is enabled only on the out of band management port data inbound SSH access is enabled only on the data ports both inbound SSH access is enabled on both the out of band manag...

Page 351: ...e of the security this provides you may want to disable web based and or Telnet access no web management and no telnet If you need to increase SNMP security you should use SNMP version 3 only If you need to increase the security of your web interface see the section on SSL Another security measure is to use the Authorized IP Managers feature described in the switch s Management and Configuration G...

Page 352: ... s configuration Also if you configure only an Operator password entering the Operator pass word through telnet web ssh or serial port access enables full manager privileges See 1 Assigning a Local Login Operator and Enable Manager Password on page 8 9 Option A Configuring SSH Access for Password Only SSH Authentication When configured with this option the switch uses its pub lic key to authentica...

Page 353: ... public key file into a TFTP server accessible to the switch and download the file to the switch For more on these topics refer to Further Information on SSH Client Public Key Authentication on page 8 25 With steps 1 3 above completed and SSH properly configured on the switch if an SSH client contacts the switch login authentication automatically occurs first using the switch and client public key...

Page 354: ...up this operation you would configure the switch in a manner similar to the following Syntax aaa authentication ssh enable local tacacs radius local none Configures a password method for the primary and second ary enable Manager access If you do not specify an optional secondary method it defaults to none If the primary access method is local you can only specify none for a secondary access method...

Page 355: ... HP Switch config aaa authentication ssh login public key none HP Switch config aaa authentication ssh enable tacacs local HP Switch config coy tftp pub key file 10 33 18 117 HP Switch config write memory ConfiguresManageruser name and password Configures the switch to allow SSH access only for a client whose public key matchesoneofthe keys in the public key file Configures the primary and seconda...

Page 356: ... Auth ChapRadius radius Authorized MAC Auth ChapRadius radius None Enable Enable Enable Access Task Primary Server Group Secondary Console Local None Telnet Local None Webui Local None SSH Tacacs Local HP Switch config show crypto client public key 0 Maden name 1024 bit rsa Local_cryto Local crypto Thu Nov 07 2009 21 25 42 ssh rsa AAAAB3NzaClyc2EAAAADAQABAAAAgQcz9oNfqxMHUFEC6frSu1Sa4Uh1EFznFhQqmgP...

Page 357: ... That is if you use this feature only the clients whose public keys are in the client public key file you store on the switch will have SSH access to the switch over the network If you do not allow secondary SSH login Operator access via local password then the switch will refuse other SSH clients SSH clients that support client public key authentication normally provide a utility to generate a ke...

Page 358: ...mpares it to the client s hash version If they match then the client is authenticated Otherwise the client is denied access Using client public key authentication requires these steps 1 Generate a public private key pair for each client you want to have SSH access to the switch This can be a separate key for each client or the same key copied to several clients 2 Copy the public key for each clien...

Page 359: ...n into the file Each key should be separated from the preceding key by a CR LF 3 Copy the client public key file into a TFTP server accessible to the switch Property Supported Value Comments Key Format ASCII See figure 8 7 on page 8 13 The key must be one unbroken ASCII string If you add more than one client public key to a file terminate each key except the last one with a CR LF Spaces are allowe...

Page 360: ...at the end of the key in figure 8 13 on page 8 26 Syntax copy tftp pub key file ip address filename append manager operator oobm Copies a public key file from a TFTP server into flash memory in the switch The append option adds the key s for operator access The manager option replaces the key s for manager access follow with the append option to add the key s The operator option replaces the key s...

Page 361: ...ow crypto client public key manager operator keylist str babble fingerprint Displays the client public key s in the switch s current client public key file See SSH Client Public Key Authentication on page 2 16 in this guide for information about public keys saved in a configuration file The babble option converts the key data to phonetic hashes that are easier for visual comparisons The fingerprin...

Page 362: ...ey file on the switch Enabling Client Public Key Authentication After you TFTP a client public key file into the switch described above you can configure the switch to allow the following If an SSH client s public key matches the switch s client public key file allow that client access to the switch If there is not a public key match then deny access to that client Caution To enable client public ...

Page 363: ... are also messages that indicates when a client public key is installed or removed ssh num bits bit rsa dsa client public key installed removed manager operator access key_comment Note Only up to 39 characters of the key comment are included in the event log message Debug Logging To add ssh messages to the debug log output enter this command HP Switch debug ssh LOGLEVEL where LOGLEVEL is one of th...

Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...

Page 365: ... SSL in the switches covered in this guide is based on the OpenSSL software toolkit For more information on OpenSSL visit www openssl com Server Certificate authentication with User Password Authentication This option is a subset of full certificate authentication of the user and host It occurs only if the switch has SSL enabled As in figure 9 1 the switch authenticates itself to SSL enabled web b...

Page 366: ...h the credentials of the subject to which the certificate was issued Information contained within the certificate includes name of the subject serial number date of validity subject s public key and the digital signature of the authority who issued the certificate Certificates on HP switches conform to the X 509v3 standard which defines the format of the certificate Self Signed Certificate A certi...

Page 367: ... Level Manager privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level pass word configured in the switch SSL Enabled 1 A certificate key pair has been generated on the switch WebAgent or CLI command crypto key generate cert key size 2 A certificate been generated on the switch WebAgent or CLI command crypto host cert g...

Page 368: ... browser Not e The latest versions of Microsoft Internet Explorer and Netscape web browser support SSL and TLS functionality See browser documentation for additional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 9 6 2 Generate a host certificate on the switch page 9 6 i Generate certificate key pair ii Generate host certificate You need to do...

Page 369: ...pelling reason Otherwise you will have to re introduce the switch s certificate on all management stations clients you previously set up for SSL access to the switch In some situations this can temporarily allow security breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config c...

Page 370: ...ment and Configuration Guide for your switch 2 Generating the Switch s Server Host Certificate You must generate a server certificate on the switch before enabling SSL The switch uses this server certificate along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch The session key pair mentioned above is...

Page 371: ...oot CA certificate and can be verified unequivocally Not e There is usually a fee associated with receiving a verified certificate and the valid dates are limited by the root certificate authority issuing the certificate When you generate a certificate key pair and or certificate on the switch the switch places the key pair and or certificate in flash memory and not in running config Also the swit...

Page 372: ... host cert generate self signed Arg List command Not e When generating a self signed host certificate on the CLI if there is not certificate key generated this command will fail Comments on Certificate Fields There are a number arguments used in the generation of a server certificate table 9 1 Certificate Field Descriptions describes these arguments Syntax crypto key generate cert rsa bits 512 768...

Page 373: ...to begin using the SSL functionality Valid End Date This can be any future date however good security practices would suggest a valid duration of about one year between updates of passwords and keys Common name This should be the IP address or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the sw...

Page 374: ...to host cert Command Generate a Self Signed Host Certificate with the WebAgent You can configure SSL from the WebAgent For more information on how to access the WebAgent refer to the chapter titled Using the HP WebAgent in the Management and Configuration Guide for your switch To generate a self signed host certificate from the WebAgent i In the WebAgent navigation pane click on Security ii Click ...

Page 375: ... key generation can take up to two minutes if the key queue is empty Figure 9 4 Self Signed Certificate generation via SSL WebAgent Screen Generate a CA Signed server host certificate with the WebAgent The installation of a CA signed certificate involves interaction with other entities and consists of three phases The first phase is the creation of the CA certificate request which is then copied o...

Page 376: ...ch is then validated by the switch and put into use by enabling SSL To generate a certificate request from the WebAgent i In the navigation pane click on Security ii Click on SSL iii In the Web Management box enable SSL if it is not already checked iv In the SSL Certificate box fill out the fields and select Create request Figure 9 5 Example of CA Certificate Generation via SSL WebAgent Screen To ...

Page 377: ...he option of acceptingorrefusing IfaCA signedcertificateisusedontheswitch forwhich a root certificate exists on the client browser side then the browser will NOT prompt the user to ensure the validity of the certificate The browser will be able to verify the certificate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequiv...

Page 378: ...nt ssl Zeroize the switch s host certificate or certificate key page 9 7 Using the WebAgent to Enable SSL To enable SSL on the switch i In the navigation pane click on Security ii Click on SSL iii Click on the Change button iv Check the SSL Enable box to enable SSL v Enter the TCP port you desire to connect on It is recommended you use the default IP port number of 443 vi Click on Save To disable ...

Page 379: ...witches are 49 80 1506 and 1513 C a u t i o n SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides youmaywanttodisableTelnetaccess notelnet IfyouneedtoincreaseSNMP security use SNMP version 3 only for SNMP access Another securi...

Page 380: ...he CLI or WebAgent You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the WebAgent on page 9 10 You may be using a reserved TCP port Refer to Note on Port Number on page 9 15 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior on page 9 13 Your browser may not suppor...

Page 381: ... simultaneousoperationofstaticallyconfiguredIPv4andIPv6ACLs is supported in these switches as well as dynamic RADIUS assigned ACLs capable of filtering both IPv4 and IPv6 traffic from authenticated clients However IPv4 and IPv6 ACEs cannot be combined in the same static ACL IPv4 and IPv6 static ACLs do not filter each other s traffic In this chapter unless otherwise noted The term ACL refers to st...

Page 382: ...Eliminates unwanted traffic in a path by filtering IPv4 packets where they enter or leave the switch on specific VLAN interfaces IPv4 ACLs can filter traffic to or from a host a group of hosts or entire subnets Notes IPv4 ACLs can enhance network security by blocking selected traffic and can serve as part of your network security program However because ACLs do not provide user or device authentic...

Page 383: ...is enabled Refer to Notes on IPv4 Routing on page 10 24 VLAN ACL VACL A VACL is an ACL configured on a VLAN to filter traffic entering the switch on that VLAN interface and having a destination on the same VLAN Static Port ACL A static port ACL is an ACL configured on a port to filter traffic entering the switch on that port regardless of whether the traffic is routed switched or addressed to a de...

Page 384: ... RADIUS server refer to the chapter titled Configuring RADIUS Server Support for Switch Services Note This chapter describes the IPv4 ACL applications you can statically configure on the switch For information on static IPv6 ACL applications refer to the chapter titled IPv6 Access Control Lists ACLs in the latest IPv6 Configu ration Guide for your switch ...

Page 385: ... Standard ACL HP Switch config ip access list standard name str 1 99 HP Switch config std nacl no 1 2147483647 10 90 Resequence the ACEs in a Standard ACL HP Switch config ip access list resequence name str 1 99 1 2147483647 1 2147483646 10 91 Enter or Remove a Remark from a Standard ACL HP Switch config ip access list standard name str 1 99 HP Switch config ext nacl remark remark str no 1 2147483...

Page 386: ...ded Numbered ACL or Add an ACE to the End of an Existing Numbered ACL HP Switch config access list 100 199 deny permit ip options tcp udp options igmp options icmp options precedence priority tos tos setting log 2 Note Uses the same IP TCP UDP IGMP and ICMP options as shown above for Create an Extended Named ACL 10 74 Insert an ACE by AssigningaSequence Number HP Switch config ip access list exten...

Page 387: ... access list 100 199 10 85 Action Command s Page Enable or Disable an RACL HP Switch config no vlan vid ip access group identifier in out 10 81 Enable or Disable a VACL HP Switch config no vlan vid ip access group identifier vlan Enable or Disable a Static Port ACL HP Switch config no interface port list Trkx access group identifier in HP Switch eth port list Trkx no ip access group identifier in ...

Page 388: ...t consisting of one or more explicitly configured Access Control Entries ACEs and terminating with an implicit deny ACE ACL types include standard and extended See also Standard ACL and Extended ACL To filter IPv4 traffic apply either type in any of the following ways RACL an ACL assigned to filter routed traffic entering or leaving the switch on a VLAN Separate assignments are required for inboun...

Page 389: ...ination intended by the packet s originator In an extended ACE this is the second of two addresses required by the ACE to determine whether there is a match between a packet and the ACE See also SA Deny An ACE configured with this action causes the switch to drop a packet for which there is a match within an applicable ACL Dynamic Port ACL See RADIUS Assigned ACL Extended ACL This type of IPv4 Acc...

Page 390: ...enerated by the switch routing must be con figured on the switch to enable support for RACL applications VLAN ACL VACL Inbound traffic is a packet entering the switch on a VLAN interface or a subnet in a multinetted VLAN Static Port ACL Inbound traffic is a packet entering the switch on the port RADIUS Assigned ACL Where a RADIUS server has authenticated a client and assigned an ACL to the port to...

Page 391: ...ilter inbound IP traffic from a client authenticated by the server for that port A RADIUS assigned ACL can be configured on a RADIUS server to filter inbound IPv4 and IPv6 traffic When the client session ends the RADIUS assigned ACL for that client is removed from the port See also Implicit Deny remark str The term used in ACL syntax statements to represent the variable remark string a set of alph...

Page 392: ... require an alphanumeric name or an identification number ID in the range of 1 99 See also identifier on page 10 9 Static Port ACL An ACL statically configured on a specific port group of ports or trunk A static port ACL filters all incoming IPv4 traffic on the port regardless of whether it is switched or routed VACL See VLAN ACL VLAN ACL VACL An ACL applied to all IPv4 traffic entering the switch...

Page 393: ...fy a single host a finite group of hosts or any host Extended ACL Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient traffic selection criteria needed on an interface Extended ACLs allow use of the following criteria source and destination IPv4 address combinations IPv4 protocol options Extended named ACLs also offer an option to permit or deny IPv4 conn...

Page 394: ...uring RADIUS Server Support for Switch Services Connection Rate ACL An optional feature used with Connection Rate filtering based on virus throttling technology Refer to chapter 3 Virus Throttling RACL Applications RACLs filter routed IPv4 traffic entering or leaving the switch on VLANs configured with the in and or out ACL option vlan vid ip access group identifier in out For example in figure 10...

Page 395: ...e switch itself VLAN 1 10 28 10 1 One Subnet VLAN 3 10 28 40 1 10 28 30 1 Multiple Subnets VLAN 2 10 28 20 1 One Subnet Switch with IPv4 Routing Enabled 10 28 10 5 10 28 20 99 10 28 30 33 10 28 40 17 Because of multinetting traffic routed from the 10 28 40 0 network to the 10 28 30 0 network and the reverse remains in VLAN 3 This allows you to apply one inbound ACL to screen traffic arriving from ...

Page 396: ...d to the VLAN or to ports in the VLAN Static Port ACL and RADIUS Assigned ACL Applications An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port regardless of whether the traffic is switched or routed VLAN 1 10 28 10 1 One Subnet VLAN 2 with VACL One Subnet 10 28 20 1 VLAN 3 Multiple Subnets 10 28 40 1 10 28 30 1 Switch with IPv4 Routing Enabled 10 28 10 5 10 28 20 99 10 ...

Page 397: ...n a dynamic ACL to the port the IPv4 and IPv6 traffic inbound on the port from client A is filtered See also Operating Notes on page 10 18 Effect of RADIUS assigned ACLs When Multiple Clients Are Using the Same Port Some network configurations may allow multiple clients to authenticate through a single port where a RADIUS server assigns a separate RADIUS assigned ACL in response to each client s a...

Page 398: ...tiate an authentication attempt This option is recommended for applica tions where only one client at a time can connect to the port and not recommended for instances where multiple clients may access the same port at the same time For more information refer to 802 1X Port Based Access Control in the chapter titled Configuring Port Based and User Based Access Control 802 1X in the latest Access Se...

Page 399: ...f the following Table 10 1 Per Interface Multiple ACL Assignments ACL Type ACL Application Dynamic RADIUS Assigned ACLs one port based ACL for first client to authenticate on the port or up to 32 user based ACLs one per authenticated client Note If one or more user based dynamic ACLs are assigned to a port then the only traffic allowed inbound on the port is from authenticated clients IPv6 Static ...

Page 400: ...y the RACL or it will be dropped Also a switched packet is not affected by an outbound RACL assigned to the VLAN on which the packet exits from the switch For a Packet To Be Permitted It Must Have a Match with a Permit ACE in All Applicable ACLs Assigned to an Interface On a given inter face where multiple ACLs apply to the same traffic a packet having a match with a deny ACE in any applicable ACL...

Page 401: ...ffic regardless of whether any other VACLs permit the traffic Figure 10 4 Example of Order of Application for Multiple ACLs on an Interface Exception for Connection Rate Filtering Connection rate filtering can be configured along with one or more other ACL applications on the same interface In this case a connection rate match for a filter action is carried out according to the configured policy r...

Page 402: ...ce or destination IPv4 address and a mask together can define a single host a range of hosts or all hosts Every ACL populated with one or more explicit ACEs includes an Implicit Deny as the last entry in the list The switchapplies this action to any packets that do not match other criteria in the ACL For standard ACLs the Implicit Deny is deny any For extended ACLs it is deny ip any any In any ACL...

Page 403: ...should be allowed All UDP traffic or UDP traffic for a specific UDP port All ICMP traffic or ICMP traffic of a specific type and code All IGMP traffic or IGMP traffic of a specific type Any of the above with specific precedence and or ToS settings 3 Design the ACLs for the control points interfaces you have selected Where you are using explicit deny ACEs you can optionally use the VACL logging fea...

Page 404: ...ed Similarly to activate a RACLto screenrouted outboundIPv4traffic assigntheRACLto the statically configured VLAN on which the traffic exits from the switch A RACL config ured to screen inbound IPv4 traffic with a destination address on the switch itself does not require routing to be enabled ACLs do not screen outbound IPv4 traffic generated by the switch itself Refer to ACL Screening of IPv4 Tra...

Page 405: ...terface ACL Application Application Point Filter Action Port Static Port ACL switchconfigured inbound on the switch port inbound IPv4 traffic RADIUS Assigned ACL1 inbound on the switch port used by authenticated client inbound IPv4 and or IPv6 traffic from the authenticated client VLAN VACL entering the switch on the VLAN inbound IPv4 traffic RACL2 entering the switch on the VLAN routed IPv4 traff...

Page 406: ...icit deny any Example Suppose the ACL in figure 10 5 is assigned to filter the IPv4 traffic from an authenticated client on a given port in the switch Figure 10 5 Example of Sequential Comparison As shown above the ACL tries to apply the first ACE in the list If there is not a match it tries the second ACE and so on When a match is found the ACL invokes the configured action for that entry permit ...

Page 407: ...orm action permit or deny End End Test the packet against criteria in second ACE Is there a match Test packet against criteria in Nth ACE Is there a match No Yes End Perform action permit or deny 1 If a match is not found with the first ACE in an ACL the switchproceedstothenext ACE and so on 2 If a match with an explicit ACEis subsequently found the packet is either permit ted forwarded or denied ...

Page 408: ...Implicit Deny exit HP Switch config vlan 12 ip access group Test 02 in 4 2 Denies Telnet trafficfrom source address 10 11 11 101 Packets matching this criterion are dropped and are not compared to later criteria in the list Packets not matching this criterion are compared to the next entry in the list 1 Permits IPv4 traffic from source address 10 11 11 42 Packets matching this criterion are permit...

Page 409: ...n Before creating and implementing ACLs you need to define the policies you want your ACLs to enforce and understand how the ACL assignments will impact your network users Note All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured for inbound traffic on that interface For this reason an inbound IPv4 packet will be denied dropped if it has a match with either ...

Page 410: ...the core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge of the network The earlier in the network path you can block unwanted traffic the greater the benefit for network performance From where is the traffic coming The source and destination of trafficyouwanttofilterdeterminestheACLapplicationtouse RACL VACL static port ACL and RADIUS assigned ACL What tra...

Page 411: ... by blocking selected traffic and can serve as one aspect of maintaining network security However because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IP packet transmissions they should not be relied upon for a complete security solution Note Static IPv4 ACLs for the switches covered by this guide do not filter non IPv4 traffic suc...

Page 412: ...ch in an ACL append an ACE that enables Permit Any forwarding as the last ACE in the ACL This ensures that no packets reach the Implicit Deny case for that ACL Generally you should list ACEs from the most specific individual hosts tothe mostgeneral subnetsorgroupsofsubnets unlessdoing so permits traffic that you want dropped For example an ACE allowing a small group of workstations to use a specia...

Page 413: ...ings This means that the ACL denies any IPv4 packet it encounters that does not have a match with an entry in the ACL Thus if you want an ACL to permit any packets that you have not expressly denied you must enter a permit any or permit ip any any as the last ACE in an ACL Because for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match any packet that reaches t...

Page 414: ...ysical Ports in a Static VLAN A VACL or RACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN including ports that have dynam ically joined the VLAN RACLs Screen Routed IPv4 Traffic Entering or Leaving the Switch on a Given VLAN Interface This means that the following traffic is subject to ACL filtering IPv4 traffic arriving on the switch through one VLAN and l...

Page 415: ... a network mask define the part of an IPv4 address to use for the network number and the bits set to 0 in the mask define the part of the address to use for the host number In an ACL IPv4 addresses and masks provide criteria for determining whether to deny or permit a packet or to pass it to the next ACE in the list If there is a match the configured deny or permit action occurs If there is not a ...

Page 416: ...y match is an IPv4 address identical to the host address specified in the ACE Depending on your network a single ACE that allows a match with more than one source or destination IPv4 address may allow a match with multiple subnets For example in a network with a prefix of 31 30 240 and a subnet mask of 255 255 240 0 the leftmost 20 bits applying an ACL mask of 0 0 31 255 causes the subnet mask and...

Page 417: ...This policy states that every bit in every octet of a packet s SA must be the same as the corresponding bit in the SA defined in the ACE A group of IPv4 addresses fits the matching criteria In this case you provide both the address and the mask For example access list 1 permit 10 28 32 1 0 0 0 31 This policy states that In the first three octets of a packet s SA every bit must be set the same as t...

Page 418: ... s SA 0 0 0 1 1 0 1 0 1 0 1 The shaded area indicates bits in the packet that must exactly match the bits in the source address in the ACE Wherever the mask bits are ones wildcards the corresponding address bits in the packet can be any value and where the mask bits are zeros the corresponding address bits in the packet must be the same as those in the ACE Note This example covers only one octet o...

Page 419: ...ACE Mask Policy for a Match Between a Packet and the ACE Allowed Addresses A 10 38 252 195 0 0 0 255 Exact match in first three octets only 10 38 252 0 255 See row A in table 10 4 below B 10 38 252 195 0 0 7 255 Exact match in the first two octetsandtheleftmostfivebits 248 of the third octet 10 38 248 255 0 255 In the third octet only the rightmost three bits are wildcard bits The leftmost five bi...

Page 420: ...ing the switch on a given VLAN Static Port ACL any IPv4 traffic entering the switch on a given port port list or static trunk 3 If the ACL is applied as an RACL enable IPv4 routing Except for instances where the switch is the traffic source or destination assigned RACLs filter IPv4 traffic only when routing is enabled on the switch Caution Regarding the Use of IPv4 Source Routing IPv4 source routi...

Page 421: ...stablished traffic based on whether the initial request should be allowed Any UDP traffic only or UDP traffic for a specific UDP port Any ICMP traffic only or ICMP traffic of a specific type and code Any IGMP traffic only or IGMP traffic of a specific type Any of the above with specific precedence and or ToS settings For an extended ACL ID use either a unique number in the range of 100 199 or a un...

Page 422: ...mple of the General Structure for a Standard ACL Element Notes Type Standard or Extended Identifier Alphanumeric Up to 64 Characters Including Spaces Numeric 1 99 Standard or 100 199 Extended Remark Allowsupto100alphanumericcharacters including blank spaces If any spaces are used the remark must be enclosed in a pair of single or double quotes AremarkisassociatedwithaparticularACE andwillhavethesa...

Page 423: ...ed ACL include A permit deny statement Source and destination IPv4 addressing Choice of IPv4 criteria including optional precedence and ToS Optional ACL log command for deny entries Optional remark statements HP Switch Config show running ip access list standard Sample List 10 deny 10 28 150 77 0 0 0 0 log 20 permit 10 28 150 1 0 0 0 255 exit ACL List Heading with List Type and Identifier Name or ...

Page 424: ...mit deny ipv4 protocol type SA src acl mask DA dest acl mask permit deny tcp SA operator value DA operator value established ack fin rst syn permit deny udp SA src acl mask operator port id DA dest acl mask operator port id permit deny icmp SA src acl mask DA dest acl mask icmp type permit deny igmp SA SA mask DA dest acl mask igmp type precedence priority tos tos setting log Allowed only with den...

Page 425: ...tended Sample List 1 10 permit ip 10 38 130 55 0 0 0 0 10 38 130 240 0 0 0 0 20 permit tcp 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 eq 23 30 remark ALLOWS HTTP FROM SINGLE HOST 30 permit tcp 10 38 131 14 0 0 0 0 eq 80 0 0 0 0 255 255 255 255 eq 3871 40 remark DENIES HTTP FROM ANY TO ANY 40 deny tcp 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 eq 80 log 50 deny udp 10 42 120 19 0 0 0 0 eq...

Page 426: ...destination address will be denied dropped Since in this example the intent is to block TCP traffic from 10 28 18 100 to any destination except the destination stated in the ACE at line 30 this ACE must follow the ACE at line 30 If their relative positions were exchanged all TCP traffic from 10 28 18 100 would be dropped including the traffic for the 10 28 18 1 destination 50 Any packet from any I...

Page 427: ... of the monitored resources described in the appendix titled Monitored Resources in the Management and Configuration Guide for your switch You Can Assign an ACL Name or Number to an Interface Even if the ACL Does Not Exist in the Switch s Configuration In this case if you subsequently create an ACL with that name or number the switch automatically applies each ACE as soon as you enter it in the ru...

Page 428: ... end of a list named List 1 to allow traffic from the device at 10 10 10 100 HP Switch config ip access list standard List 1 HP Switch config std nacl permit host 10 10 10 100 Insert an ACE anywhere in a named ACL by specifying a sequence number For example if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named List 2 to deny IPv4 traffic from the device at 1...

Page 429: ...ot allowed in the same ACL Attempting to enter a duplicate ACE displays the Duplicate access control entry message Using CIDR Notation To Enter the IPv4 ACL Mask You can use CIDR Classless Inter Domain Routing notation to enter ACL masks The switch interprets the bits specified with CIDR notation as the address bits in an ACL and the corresponding address bits in a packet that must match The switc...

Page 430: ... from an ACL HP Switch config ip access list standard name str 1 99 HP Switch config std nacl no 1 2147483647 10 90 Resequence the ACEs in an ACL HP Switch config ip access list resequence name str 1 99 1 2147483647 1 2147483646 10 91 Enter or Remove a Remark from an ACL HP Switch config ip access list standard name str 1 99 HP Switch config ext nacl remark remark str no 1 2147483647 remark For nu...

Page 431: ...creating a named ACL differs from the command syntax for creating a numbered ACL For example the first pair of entries below illustrate how to create or enter a named standard ACL and enter an ACE The next entry illustrates creating a numbered standard ACL with the same ACE HP Switch config ip access list standard Test List HP Switch config std nacl permit host 10 10 10 147 HP Switch config access...

Page 432: ... 74 applying or removing an ACL on an interface 10 81 deleting an ACL 10 85 editing an ACL 10 86 sequence numbering in ACLs 10 87 including remarks in an ACL 10 92 displaying ACL configuration data 10 97 creating or editing ACLs offline 10 107 enabling ACL Deny logging 10 112 Syntax ip access list standard name str Places the CLI in the Named ACL nacl context specified by the name str alphanumeric...

Page 433: ...ies or permits a packet matching the criteria in the ACE as described below any host SA SA mask SA mask length Defines the source IPv4 address SA a packet must carry for a match with the ACE any Allows IPv4 packets from any SA host SA Specifies only packets having SA as the source Use this criterion when you want to match the IPv4 packets from a single source address SA mask or SA mask length Spec...

Page 434: ... logging is enabled on the switch Refer to Enable ACL Deny Logging on page 10 112 Use the debug command to direct ACL logging output to the current console session and or to a Syslog server Note that you must also use the logging ip addr command to specify the addresses of Syslog servers to which you want log messages sent See also Enable ACL Deny Logging on page 10 112 HP Switch config ip access ...

Page 435: ...cess list Sample List Access Control Lists Name Sample List Type Standard Applied No SEQ Entry 10 Action permit IP 10 10 10 104 Mask 0 0 0 0 20 Action deny log IP 10 10 10 1 Mask 0 0 0 255 30 Action permit IP 0 0 0 0 Mask 255 255 255 255 Note that each ACE is automatically assigned a sequence number Topic Page configuring named standard ACLs 10 52 configuring named extended ACLs 10 61 configuring ...

Page 436: ...n be renumbered using resequence page 10 91 Note To insert a new ACE between two existing ACEs in a standard numbered ACL a Use ip access list extended 1 99 to open the ACL as a named ACL b Enter the desired sequence number along with the ACE keywords and variables you want After a numbered ACL has been created it can be managed as either a named or numbered ACL Refer to the Numbered ACLs list ite...

Page 437: ...p of IPv4 addresses The mask format can be in either dotted decimal format or CIDR format number of significant bits Refer to Using CIDR Notation To Enter the IPv4 ACL Mask on page 10 49 SA Mask Application The mask is applied to the SA in the ACE to define which bits in a packet s SA must exactly match the SA configured in the ACL and which bits need not match Example 10 10 10 1 24 and 10 10 10 1...

Page 438: ...d Named ACL in Figure 10 14 HP Switch config access list 17 permit host 10 10 10 104 HP Switch config access list 17 deny 10 10 10 1 24 log HP Switch config access list 17 permit any HP Switch config show access list 17 Access Control Lists Name 17 Type Standard Applied No SEQ Entry 10 Action permit IP 10 10 10 104 Mask 0 0 0 0 20 Action deny log IP 10 10 10 1 Mask 0 0 0 255 30 Action permit IP 0 ...

Page 439: ...ny host DA DA mask length DA mask 1 0 255 0 255 icmp message 10 61 precedence priority tos tos setting log 2 10 61 Create an Extended Numbered ACL or Add an ACE to the End of an Existing Numbered ACL HP Switch config access list 100 199 deny permit ip options tcp udp options igmp options icmp options log 2 precedence priority tos tos setting Note Uses the same IPv4 TCP UDP IGMP and ICMP options as...

Page 440: ...uration For example configuring two ACLs results in an ACL total of two even if neither is assigned to an interface If you then assign a nonexistent ACL to an interface the new ACL total is three because the switch now has three unique ACL names in its configuration For more on ACL limits refer to Monitoring Shared Resources on page 10 129 Use Sequence Num ber To Delete an ACE HP Switch config ip ...

Page 441: ...xtended ACL 2 Enter the first ACE in a new extended ACL or append an ACE to the end of an existing extended ACL This section describes the commands for performing these steps For other ACL topics refer to the following Topic Page configuring named standard ACLs 10 52 configuring numbered standard ACLs 10 55 configuring numbered extended ACLs 10 74 applying or removing an ACL on an interface 10 81 ...

Page 442: ...nacl context specified by the name str alphanumeric identifier This enables entry of individual ACEs in the specified ACL If the ACL does not already exist this command creates it name str Specifies an alphanumeric identifier for the ACL Consists of an alphanumeric string of up to 64 case sensitive characters Including spaces in the string requires that you enclose the string in single or double q...

Page 443: ...utive sequence numbers in increments of 10 and can be renumbered using resequence page 10 91 Note To insert a new ACE between two existing ACEs in an extended named ACL precede deny or permit with an appro priate sequence number along with the ACE keywords and variables you want Refer to Inserting an ACE in an Exist ing ACL on page 10 88 For a match to occur a packet must have the source and desti...

Page 444: ...extended ACE It follows the protocol specifier and defines the source address SA a packet must carry for a match with the ACE any Allows IPv4 packets from any SA host SA Specifies only packets having a single address as the SA Use this criterion when you want to match only the IPv4 packets from a single SA SA mask or SA mask length Specifies packets received from an SA where the SA is either a sub...

Page 445: ...can be in either dotted decimal format or CIDR format number of significant bits Refer to Using CIDR Notation To Enter the IPv4 ACL Mask on page 10 49 DA Mask Application The mask is applied to the DA in the ACL to define which bits in a packet s DA must exactly match the DA configured in the ACL and which bits need not match See also the above example and note precedence 0 7 precedence name This ...

Page 446: ... or in the case of 0 2 4 and 8 as alphanumeric names 0 or normal 2 max reliability 4 max throughput 6 8 minimize delay 10 12 14 Note The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE log This option can be used after the DA to generate an Event Log message if The action is deny Not applicable to permit There is a match ACL logging is enabled ...

Page 447: ...ort established ack fin rst syn Syntax deny permit udp SA comparison operator udp src port DA comparison operator udp dest port In an extended ACL using either tcp or udp as the packet protocol type you can optionally use TCP or UDP source and or desti nation port numbers or ranges of numbers to further define the criteria for a match For example deny tcp host 10 20 10 17 eq 23 host 10 20 10 155 e...

Page 448: ...cket must be in the range start port nbr end port nbr Port Number or Well Known Port Name Use the TCP or UDP port number required by your appli cation The switch also accepts these well known TCP or UDP port names as an alternative to their port numbers TCP bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet UDP bootpc bootps dns ntp radius radius old rip snmp snmp trap tftp To list the abo...

Page 449: ...device Simply applying a deny to inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked However by using the established option inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted but inbound Telnet traffic trying to estab lish a connection would be denied TCP Control Bits In ...

Page 450: ...ing icmp as the packet protocol type see above you can optionally specify an individual ICMP packet type or packet type code pair to further define the criteria for a match This option if used is entered immediately after the destination address DA entry The following example shows two ACEs entered in a Named ACL context permit icmp any any host unknown permit icmp any any 3 7 icmp type icmp code ...

Page 451: ... net prohibited option missing echo packet too big echo reply parameter problem general parameter problem port unreachable host isolated precedence unreachable host precedence unreachable protocol unreachable host redirect reassembly timeout host tos redirect redirect host tos unreachable router advertisement host unknown router solicitation host unreachable source quench information reply source ...

Page 452: ...In an extended ACL using igmp as the packet protocol type you can optionally specify an individual IGMP packet type to further define the criteria for a match This option if used is entered immediately after the destination addressing entry The following example shows an IGMP ACE entered in the Named ACL context HP Switch config ext nacl permit igmp any any host query igmp type The complete list o...

Page 453: ...k 10 10 10 0 VLAN 10 to 10 10 20 0 VLAN 20 and permit all other IPv4 traffic from any source to any destination See A in figure 10 18 below B Permit FTP traffic from 10 10 20 100 on VLAN 20 to 10 10 30 55 on VLAN 30 Deny FTP traffic from other hosts on network10 10 20 0 to any destination but permit all other IPv4 traffic Figure 10 18 Example of an Extended ACL VLAN 10 10 10 10 1 VLAN 20 10 10 20 ...

Page 454: ...ext nacl exit HP Switch config vlan 20 ip access group Extended List 02 in HP Switch config ip access list extended Extended List 01 HP Switch config ext nacl permit tcp host 10 10 10 44 host 10 10 20 78 eq telnet HP Switch config ext nacl deny ip 10 10 10 1 24 10 10 20 1 24 HP Switch config ext nacl permit ip any any HP Switch config ext nacl exit HP Switch config vlan 10 ip access group Extended...

Page 455: ... In the default configuration the ACEs in an ACL will automatically be assigned consecutive sequence numbers in increments of 10 and can be renumbered with resequence page 10 91 Note To insert a new ACE between two existing ACEs in an extended numbered ACL a Use ip access list extended 100 199 to open the ACL as a named ACL b Enter the desired sequence number along with the ACE statement you want ...

Page 456: ...ir corresponding protocol names refer to the IANA Protocol Number Assignment Services at www iana com Range 0 255 For TCP UDP ICMP and IGMP additional criteria can be specified as described later in this section any host SA SA mask length SA mask In an extended ACL this parameter defines the source address SA that a packet must carry in order to have a match with the ACE any Specifies all inbound ...

Page 457: ...described earlier and defines the destination address DA that a packet must carry in order to have a match with the ACE The options are the same as shown for SA any Allows routed IPv4 packets to any DA host DA Specifies only the packets having DA as the destination address Use this criterion when you want to match only the IPv4 packets for a single DA DA mask length or DA mask Specifies packets in...

Page 458: ... selection criteria config ured in the same ACE tos This option can be used after the DA to cause the ACE to match packets with the specified Type of Service ToS set ting ToS values can be entered as the following numeric settings or in the case of 0 2 4 and 8 as alphanumeric names 0 or normal 2 max reliability 4 max throughput 6 8 minimize delay 10 12 14 Note The ToS criteria in this section are ...

Page 459: ...That is an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE As an optional alterna tive the ACE can include the name of an ICMP packet type For a summary of the extended ACL syntax options refer to table on page 10 59 Syntax access list 100...

Page 460: ...an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE For a summary of the extended ACL syntax options refer to table on page 10 59 Syntax access list 100 199 deny permit igmp src ip dest ip igmp type The IGMP type criteria is identical to the criter...

Page 461: ... ip access group identifier in out where identifier either a ACL name or an ACL ID number Assigns an ACL to a VLAN as an RACL to filter routed IPv4 traffic entering or leaving the switch on that VLAN You can use either the global configuration level or the VLAN context level to assign or remove an RACL Note The switch allows you to assign a nonexistent ACL name or number to a VLAN In this case if ...

Page 462: ... Enables an RACL from the Global Configuration Level Enables an RACL from a VLAN Context Disables an RACL from the Global Configuration Level Disabling an RACL from a VLAN Context Syntax no vlan vid ip access group identifier vlan where identifier either a ACL name or an ACL ID number Assigns an ACL as a VACL to a VLAN to filter any IPv4 traffic entering the switch on that VLAN You can use either ...

Page 463: ...om the Global Configuration Level Enables a VACL from a VLAN Context Disables a VACL from the Global Configuration Level Disables a VACL from a VLAN Context Syntax no interface port list Trkx ip access group identifier in where identifier either a ACL name or an ACL ID number Assigns an ACL as a static port ACL to a port port list or static trunk to filter any IPv4 traffic entering the switch on t...

Page 464: ...witch eth b10 ip access group 155 in HP Switch eth b10 exit HP Switch config no interface b10 ip access group My List in HP Switch config interface b10 HP Switch eth b10 no ip access group 155 in HP Switch eth b10 exit Enables a static port ACL from the Global Configuration level Enables a static port ACL from a port context Disables a static port ACL from the Global Configuration level Uses a VLA...

Page 465: ...pty ACL to the interface Subsequently populating the empty ACL with explicit ACEs causes the switch to automatically activate the ACEs as they are created and to implement the implicit deny at the end of the ACL Deleting an ACL from the running configuration while the ACL is currently assigned on an interface results in an empty version of the ACL in the running con figuration and on the interface...

Page 466: ...ut specifying a sequence number the switch inserts the ACE as the last entry in the ACL When you enter a new ACE in a named ACL and include a sequence number the switch inserts the ACE according to the position of the sequence number in the current list of ACEs Numbered ACLs When using the access list 1 99 100 199 command to create or add ACEs to a numbered ACL each new ACE you enter is added to t...

Page 467: ...numbered in increments of 10 For example the following show run output lists three ACEs with default numbering in a list named My List Figure 10 23 Example of the Default Sequential Numbering for ACEs You can add an ACE to the end of a named or numbered ACL by using either access list for numbered ACLs or ip access list for named ACLs Figure 10 24 Examples of Adding an ACE to the end of Numbered o...

Page 468: ...dard My List HP Switch config std nacl permit any HP Switch config std nacl show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 20 permit 10 20 10 117 0 0 0 0 30 deny 10 20 10 1 0 0 0 255 40 permit 0 0 0 0 255 255 255 255 exit Syntax ip access list standard extended name str 1 99 100 199 1 2147483647 permit deny standard acl ip criteria log 1 2147483647 permit deny extended acl ...

Page 469: ...etween the ACEs numbered 10 and 20 in figure 10 25 requires a sequence number in the range of 11 19 for the new ACE Figure 10 26 Example of Inserting an ACE in an Existing ACL In the following example the first two ACEs entered become lines 10 and 20 in the list The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20 HP Switch config ip access list ...

Page 470: ...x ip access list standard extended name str 1 99 100 199 no seq The first command enters the Named ACL context for the specified ACL The no command deletes the ACE corresponding to the sequence number entered Range 1 2147483647 HP Switch config ip access list standard List 01 HP Switch config std nacl permit 10 10 10 1 24 HP Switch config std nacl deny 10 10 1 1 16 HP Switch config std nacl 15 per...

Page 471: ...g seq Specifies the sequence number for the first ACE in the list Default 10 Range 1 2147483647 interval Specifies the interval between sequence numbers for the ACEs in the list Default 10 Range 1 2147483647 HP Switch config show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 15 deny 10 10 10 1 0 0 0 255 20 permit 10 20 10 117 0 0 0 0 30 deny 10 20 10 1 0 0 0 255 40 permit 0 0 0...

Page 472: ...k remark str This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark The next command entry should be the ACE to which the remark belongs The new ACE will automatically be numbered with the same sequence number as was used for the preceding remark HP Switch config show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 15 d...

Page 473: ... 100 199 seq remark remark str no seq remark This syntax applies to both named and numbered ACLs With out an optional sequence number the remark is appended to the end of the list and automatically assigned a sequence number When entered with an optional sequence number the remark is inserted in the list according to the numeric prece dence of the sequence number The no form of the command deletes...

Page 474: ...ig std nacl remark HOST 10 20 10 34 HP Switch config std nacl permit host 10 20 10 34 HP Switch config std nacl show run hostname HP Switch ip access list standard My List 10 permit 10 10 10 15 0 0 0 0 20 deny 10 10 10 1 0 0 0 255 30 remark HOST 10 20 10 34 30 permit 10 20 10 34 0 0 0 0 exit The remark is assigned the same number that the immediately followingACE 30 inthisexample isassigned when i...

Page 475: ...ber and content of the ACE having a remark you want to remove 3 Delete the ACE 4 Using the same sequence number re enter the ACE Operating Notes for Remarks The resequence command ignores orphan remarks that do not have an ACE counterpart with the same sequence number For example if a remark numbered 55 exists in an ACE there is no ACE numbered 55 in the same ACL resequence is executed on an ACL t...

Page 476: ...0 1 24 HP Switch config std nacl remark Marketing HP Switch config std nacl remark Channel_Mktg HP Switch config std nacl show run ip access list standard Accounting 10 permit 10 10 10 115 0 0 0 0 20 deny 10 10 10 1 0 0 0 255 30 remark Channel_Mktg exit Where multiple remarks are sequentially entered for automatic inclusion at the end of an ACL each successive remark replacesthepreviousoneuntilan ...

Page 477: ... the ACLina list format similar to that used to display an ACL in the show running config output 10 103 show access list resources Displays information on the resources currently available in the switch Refer to the Monitoring Resources appendixinthelatestManagement and Configuration Guide for your switch show access list radius all port list Lists the RADIUS ACL s currently assigned for either al...

Page 478: ...d on the switch Term Meaning Type Shows whether the listed ACL is an IPv4 std ACL an IPv4 ext ACL or an IPv6 ACL Appl Shows whether the listed ACL has been applied to an interface yes no Name Shows the identifier name or number assigned to each ACL configured in theswitch HP Switch config show access list Access Control Lists Type Appl Name ext yes 101 std yes 55 ext yes Marketing ipv6 no Accounti...

Page 479: ...his command for input to an offline text file in which you can edit add or delete ACL commands Refer to Creating or Editing ACLs Offline on page 10 107 Thisinformationalsoappearsintheshowrunningdisplay Ifyouexecutedwrite memory after configuring an ACL it appears in the show config display Figure 10 33 shows the ACLs on a switch configured with two IPv6 ACLs named Accounting and List 01 Inbound an...

Page 480: ...fig show access list config ip access list extended 101 10 permit tcp 10 30 133 27 0 0 0 0 0 0 0 0 255 255 255 255 20 permit tcp 10 30 155 101 0 0 0 0 0 0 0 0 255 255 255 255 30 deny ip 10 30 133 1 0 0 0 0 0 0 0 0 255 255 255 255 log 40 deny ip 10 30 155 1 0 0 0 255 0 0 0 0 255 255 255 255 exit ipv6 access list Accounting 10 permit tcp 2001 db8 0 1af 10 14 128 0 eq 23 20 permit tcp 2001 db8 0 1af ...

Page 481: ...arious ports and trunks on the switch HP Switch config show access list vlan 20 Access Lists for VLAN 20 Inbound Access List Account 2 Type Extended Outbound Access List 101 Type Extended Ipv6 VACL Access List Blue Group VACL Access List None Connection Rate Filter Access List None An extended IPv4 ACL named Account 2 is assigned to filter routed IPv4 traffic entering the switch on VLAN 20 An exte...

Page 482: ...sts for Port B12 Inbound 101 Type Extended Inbound Ipv6 Accounting Access Lists for Port Trk2 Inbound Ipv6 Accounting Access Lists for Port Trk5 Inbound Marketing Type Extended An IPv6 ACL is filtering inbound traffic on port B1 Both an IPv4 ACL and an IPv6 ACL are filtering inbound IPv4 and IPv6 traffic respectively on port B12 An IPv6 ACL is filtering inbound IPv6 traffic on Trunk 2 Trk2 An IPv4...

Page 483: ...ng two ACLs in the switch Use show access list identifier to inspect a specific IPv6 or IPv4 ACL as follows Syntax show access list identifier config Display detailed information on the content of a specific ACL configured in the running config file Identifier Type Desired Action Accounting IPv6 Permit Telnet traffic from these two IPv6 addresses 2001 db8 0 1af 10 14 2001 db8 0 1af 10 24 Deny Teln...

Page 484: ...Dst IP Prefix Len 0 Src Port s Dst Port s eq 23 Proto TCP Option s Dscp 30 Action deny log Src IP 2001 db8 0 1af 10 Prefix Len 116 Dst IP Prefix Len 0 Src Port s Dst Port s Proto TCP Option s Dscp 40 Action permit Src IP 2001 db8 0 1af 10 Prefix Len 116 Dst IP Prefix Len 0 Src Port s Dst Port s Proto IPV6 Dscp IndicateswhethertheACL is applied to an interface TCP Source Port Source Address Protoco...

Page 485: ...lished TOS Precedence routine 20 Action deny log Src IP 10 30 133 1 Mask 0 0 0 255 Port s Dst IP 0 0 0 0 Mask 255 255 255 255 Port s Proto IP TOS Precedence 30 Action permit Src IP 0 0 0 0 Mask 255 255 255 255 Port s Dst IP 0 0 0 0 Mask 255 255 255 255 Port s Proto IP TOS Precedence IndicateswhethertheACL is applied to an interface Remark Field Appears if remark configured Empty field indicates th...

Page 486: ... Entry Lists the content of the ACEs in the selected ACL Action Permit forward or deny drop a packet when it is compared to the criteria in the applicable ACE and found to match Includes the optional log option if used in deny actions Remark Displays any optional remark text configured for the selected ACE IP Used for Standard ACLs The source IPv4 address to which the configured mask is applied to...

Page 487: ...method described in this section Note copy commands that used either tftp or xmodem also include an option to use usb as a source or destination device for file transfers So although the following example highlights tftp bear in mind that xmodem or usb can also be used to transfer ACLs to and from the switch Creating or Editing an ACL Offline The Offline Process 1 Begin by doing one of the followi...

Page 488: ...mask of 255 255 255 0 and a TFTP server at 10 10 10 1 ID LIST 20 IN Deny Telnet access to a server at 10 10 10 100 on VLAN 10 from these three addresses on VLAN 20 with ACL logging 10 10 20 17 10 10 20 23 10 10 20 40 Allow any access to the server from all other addresses on VLAN 20 Permit internet access to these two address on VLAN 20 but deny access to all other addresses on VLAN 20 without ACL...

Page 489: ...ip access list extended LIST 20 IN CREATED ON JUNE 27 10 remark THIS ACE APPLIES INBOUND ON VLAN 20 10 permit tcp any host 10 10 20 98 eq http 20 permit tcp any host 10 10 20 21 eq http 30 deny tcp any 10 10 20 1 24 eq http VLAN 20 SOURCES TO VLAN 10 DESTINATIONS 40 deny tcp host 10 10 20 17 host 10 10 10 100 eq telnet log 50 deny tcp host 10 10 20 23 host 10 10 10 100 eq telnet log 60 deny tcp ho...

Page 490: ...10 1 LIST 20 IN txt pc Running configuration may change do you want to continue y n Y 1 ip access list extended LIST 20 IN 3 CREATED ON JUNE 27 5 10 remark THIS ACE APPLIES INBOUND ON VLAN 20 6 10 permit tcp any host 10 10 20 98 eq http 7 20 permit tcp any host 10 10 20 21 eq http 8 30 deny tcp any 10 10 20 1 24 eq http 10 VLAN 20 SOURCES TO VLAN 10 DESTINATIONS 12 40 deny tcp host 10 10 20 17 hos...

Page 491: ... 10 10 20 1 0 0 0 255 eq 80 40 deny tcp 10 10 20 17 0 0 0 0 10 10 10 100 0 0 0 0 eq 23 log 50 deny tcp 10 10 20 23 0 0 0 0 10 10 10 100 0 0 0 0 eq 23 log 60 deny tcp 10 10 20 40 0 0 0 0 10 10 10 100 0 0 0 0 eq 23 log 70 permit ip 10 10 20 1 0 0 0 255 10 10 10 100 0 0 0 0 80 remark VLAN 30 POLICY 80 deny ip 10 10 30 1 0 0 0 255 10 10 10 100 0 0 0 0 90 permit ip 10 10 30 1 0 0 0 255 10 10 10 1 0 0 0...

Page 492: ...the current console Telnet or SSH session You can use logging to configure up to six Syslog server destinations Requirements for Using ACL Logging The switch configuration must include an ACL 1 assigned to a port trunk or static VLAN interface and 2 containing an ACE configured with the deny action and the log option If the RACL application is used then IPv4 routing must be enabled on the switch F...

Page 493: ... line summary of any additional deny matches for that ACE and any other deny ACEs for which the switch detected a match If no further log messages are generated in the wait period the switch suspends the timer and resets itself to send a message as soon as a new deny match occurs The data in the message includes the information illustrated in figure 10 43 Figure 10 43 Content of a Message Generate...

Page 494: ...For example suppose that you want to configure the following operation On VLAN 10 configure an extended ACL with an ACL ID of NO TELNET and use the RACL in option to deny Telnet traffic entering the switch from 10 10 10 3 to any routed destination Note that this assignment will not filter Telnet traffic from 10 10 10 3 to destinations on VLAN 10 itself Configure the switch to send an ACL log messa...

Page 495: ... 3 HP Switch config logging facility syslog HP Switch config debug destination logging HP Switch config debug destination session HP Switch config debug acl HP Switch config write mem HP Switch config show debug Debug Logging Destination Logging 10 10 20 3 Facility syslog Session Enabled debug types event acl log HP Switch config show access list config ip access list extended NO TELNET 10 remark ...

Page 496: ... or other destination device s The first time a packet matches an ACE with deny and log configured the message is sent immediately to the destination and the switch starts a wait period of approximately five minutes default value The exact dura tion of the period depends on how the packets are internally routed At the end of the wait period the switch sends a single line summary of any additional ...

Page 497: ...rmine whether a particular traffic type is being filtered by the intended ACE in an assigned list or if traffic from a particular device or network is being filtered as intended Note This section describes the command for monitoring static ACL performance To monitor RADIUS assigned ACL performance use either of the following commands show access list radius all port list show port access authentic...

Page 498: ...on a specific interface Total This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL s counters were last reset to 0 zero For example figure 10 46 illustrates both IPv6 and IPv4 ACL activity HP Switch show statistics aclv6 IPV6 ACL vlan 20 vlan HitCounts for ACL IPV6 ACL Total 12 10 permit icmp 0 fe80 20 2 128 128 6 20 deny tcp 0 fe8...

Page 499: ...n ACL line 10 below there has been a total of 37 matches on the ACE since the last time the ACL s counters were reset Total 37 10 permit icmp 0 fe80 20 2 128 128 Note This ACL monitoring feature does not include hits on the implicit deny that is included at the end of all ACLs Resetting ACE Hit Counters to Zero Using the clear statistics command page 10 118 Removing an ACL from an interface zeros ...

Page 500: ...t icmp 0 fe80 20 3 128 128 136 30 permit tcp fe80 20 1 128 0 eq 23 2 40 deny icmp 0 fe80 20 1 128 128 10 50 deny tcp 0 0 eq 23 8 60 deny icmp 0 0 133 155 70 permit ipv6 0 0 HP Switch sho statistics aclv4 102 vlan 20 vlan HitCounts for ACL 102 Total 1 10 permit icmp 10 10 20 3 0 0 0 0 10 10 20 2 0 0 0 0 8 2 20 deny icmp 10 10 20 3 0 0 0 0 10 10 20 1 0 0 0 0 8 log 2 30 deny icmp 10 10 20 2 0 0 0 0 1...

Page 501: ...CL V6 02 Total 5 10 permit icmp 0 fe80 20 2 128 128 4 20 permit icmp 0 fe80 20 3 128 128 136 30 permit tcp fe80 20 1 128 0 eq 23 2 40 deny icmp 0 fe80 20 1 128 128 10 50 deny tcp 0 0 eq 23 8 60 deny icmp 0 0 133 155 70 permit ipv6 0 0 HP Switch clear statistics aclv6 V6 02 vlan 20 vlan HP Switch show statistics aclv6 V6 02 vlan 20 vlan HitCounts for ACL V6 02 Total 0 10 permit icmp 0 fe80 20 2 128...

Page 502: ...stances of the same ACL applied to other interfaces are not affected For example suppose that An ACL named V6 01 is configured as shown in figure 10 50 to block Telnet access to a workstation at FE80 20 2 which is connected to a port belonging to VLAN 20 The ACL is assigned as a PACL port ACL on port B2 which is also a member of VLAN 20 Figure 10 50 ACL V6 01 and Command for PACL Assignment on Por...

Page 503: ...or port ACL PACL the switch maintains a separate instance of ACE counters for each interface assignment Thus when there is a match with traffic on one of the ACL s VACL or PACL assigned interfaces only the ACE counter in the affected instance of the ACL is incremented However if an ACL HP Switch ping6 fe80 20 2 vlan20 fe80 0000 0000 0000 0000 0000 0020 0002 is alive time 5 ms HP Switch telnet fe80...

Page 504: ...70 RACL Figure 10 54 ACL Test 1 and Interface Assignment Commands Figure 10 55 Example of Using the Same ACL for VACL and RACL Applications HP Switch config show access list config ip access list extended Test1 10 deny tcp 0 0 0 0 255 255 255 255 10 10 20 12 0 0 0 0 eq 23 log 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 exit HP Switch config vlan 20 ip access group Test 1 vlan HP S...

Page 505: ...ill be filtered by instances of Test 1 assigned as RACLs and will increment the counters for ACE 10 on both RACL instances of the Test 1 ACL Using the network infigure 10 55 a device at 10 10 20 4 on VLAN 20 attempting to ping and Telnet to 10 10 20 12 is filtered through the VACL instance of the Test 1 ACL on VLAN 20 and results in the following Figure 10 56 Ping and Telnet from 10 10 20 4 to 10 ...

Page 506: ...lan 20 vlan Hit Counts for ACL Test 1 Total 5 10 deny tcp 0 0 0 0 255 255 255 255 10 10 20 2 0 0 0 0 eq 23 log 2 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 HP Switch show statistics aclv4 Test 1 vlan 50 in Hit Counts for ACL Test 1 Total 0 10 deny tcp 0 0 0 0 255 255 255 255 10 10 20 2 0 0 0 0 eq 23 log 0 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 Indicates deni...

Page 507: ... 0 0 0 0 eq 23 log 1 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 HP Switch config Indicates the same type of data as shown in figure 10 57 for the VACL assignment of the Test 1 ACL That is the Ping attempt incremented the counters for ACE 20 and the Telnet attempt incremented the counters for ACE 10 in the VLAN 50 RACL instance of the ACL HP Switch config show statistics aclv4 Tes...

Page 508: ...g statement included and apply the ACL to an appropriate VLAN Logging enables you to selectively test specific devices or groups However excessive logging can affect switch performance For this reason HP recommends that you remove the logging option from ACEs for which you do not have a present need Also avoid config uring logging where it does not serve an immediate purpose Note that ACL logging ...

Page 509: ...formation or QoS Replacing or Adding To an Active ACL Policy If you assign an ACL to an interface and subsequently add or replace ACEs in that ACL each new ACE becomes active when you enter it If the ACL is configured on multiple interfaces when the change occurs then the switch resources must accom modate all applications of the ACL If there are insufficient resources to accommodate one of severa...

Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...

Page 511: ...work gateway address is assigned by a rogue DHCP server Address exhaustion of available addresses in the network DHCP server caused by repeated attacker access to the network and numer ous IP address requests Dynamic ARP protection Protects your network from ARP cache poisoning as in the following cases An unauthorized device forges an illegitimate ARP response and network devices use the response...

Page 512: ...ystem response time to new network events Attempts by hackers to access the switch indicated by an excessive number of failed logins or port authentication failures Attempts to deny switch service by filling the forwarding table indi cated by an increased number of learned MAC addresses or a high number of MAC address moves from one port to another Attempts to exhaust available CPU resources indic...

Page 513: ...ndition for Dropping a Packet Packet Types A packet from a DHCP server received on an untrusted port DHCPOFFER DHCPACK DHCPNACK If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses DHCPOFFER DHCPACK DHCPNACK Unless configured to n...

Page 514: ...addresses are considered valid Maximum 20 authorized servers database To configure a location for the lease database enter a URL in the format tftp ip addr ascii string The maximum number of characters for the URL is 63 option Add relay information option Option 82 to DHCP client packets that are being forwarded out trusted ports The default is yes add relay information trust Configure trusted por...

Page 515: ... Information DHCP Snooping Yes Enabled Vlans Verify MAC Yes Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id mac Store lease database Not configured Port Trust B1 No B2 No HP Switch config show dhcp snooping stats Packet type Action Reason Count server forward from trusted port 8 client forward to trusted port 8 server drop received on untrusted port 2 server drop unauth...

Page 516: ...oping enabled on VLAN 4 Figure 11 3 Example of DCHP Snooping on a VLAN Configuring DHCP Snooping Trusted Ports By default all ports are untrusted To configure a port or range of ports as trusted enter this command HP Switch config dhcp snooping trust port list You can also use this command in the interface context in which case you are not able to enter a list of ports HP Switch config dhcp snoopi...

Page 517: ...e a source address in the autho rized server list in order to be considered valid If no authorized servers are configured all servers are considered valid You can configure a maximum of 20 authorized servers To configure a DHCP authorized server address enter this command in the global configuration context HP Switch config dhcp snooping authorized server ip address HP Switch config dhcp snooping ...

Page 518: ...s for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion Option 82 inserted in this manner allows the association of the client s lease with the correct port even when another device is acting as a DHCP relay or when the server is on the same subnet as the client Not e DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled...

Page 519: ...on in the packet remote id Set the value used for the remote id field of the relay information option mac The switch mac address is used for the remote id This is the default subnet ip The IP address of the VLAN the packet was received on is used for the remote id If subnet ip is specified but the value is not set the MAC address is used mgmt ip The management VLAN IP address is used as the remote...

Page 520: ... ip Figure 11 6 Example of DHCP Snooping Option 82 using the VLAN IP Address Disabling the MAC Address Check DHCP snooping drops DHCP packets received on untrusted ports when the check address chaddr field in the DHCP header does not match the source MAC address of the packet default behavior To disable this checking use the no form of this command HP Switch config dhcp snooping verify mac HP Swit...

Page 521: ...nfigure this location use this command Syntax no dhcp snooping database file tftp ip address ascii string delay 15 86400 timeout 0 86400 file Must be in Uniform Resource Locator URL format tftp ip address ascii string The maximum filename length is 63 characters delay Number of seconds to wait before writing to the database Default 300 seconds timeout Number of seconds to wait for the database fil...

Page 522: ... lease database from the tftp server it waits until that operation times out and then begins forwarding DHCP packets Enabling Debug Logging To enable debug logging for DHCP snooping use this command Operational Notes DHCP is not configurable from the WebAgent or menu interface If packets are received at too high a rate some may be dropped and need to be re transmitted Syntax show dhcp snooping bin...

Page 523: ...stination address is out a port configured as untrusted Ceasing untrusted port destination logs for s More that one client unicastpacketwithanuntrustedportdestinationwasdropped Toavoidfilling the log file with repeated attempts untrusted port destination attempts will not be logged for the specified duration Unauthorized server ip address detected on port port number Indicates that an unauthorized...

Page 524: ...ith repeated attempts client address mismatch events will not be logged for the specified duration Attempt to release address ip address leased to port port number detected on port port number dropped Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to Ceasing bad release logs for s ...

Page 525: ...LAN node to be sent to the attacker s MAC address As a result the attacker can intercept traffic for other hosts in a classic man in the middle attack The attacker gains access to any traffic sent to the poisoned address and can capture passwords e mail and VoIP calls or even modify traffic before resending it Another way in which the ARP cache of known IP addresses and associated MAC addresses ca...

Page 526: ...m devices that have been assigned static IP addresses are also verified Supports additional checks to verify source MAC address destination MAC address and IP address ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match the addresses in the Ethernet header are dropped When dynamic ARP protection is enabled only ARP request and reply packets with valid IP t...

Page 527: ... requests and responses on the port Each intercepted packet is checked to see if its IP to MAC binding is valid If a binding is invalid the switch drops the packet You must configure trusted ports carefully For example in the topology in Figure 11 9 Switch B may not see the leased IP address that Host 1 receives from the DHCP server If the port on Switch B that is connected to Switch A is untruste...

Page 528: ...own Layer 2 domain Because ARP packets do not cross Layer 2 domains the unprotected switches cannot unknowingly accept ARP packets from an attacker and forward them to protected switches through trusted ports To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports enter the arp protect trust command at the global configuration level The switch does not check ARP requ...

Page 529: ...ding command at the global configuration level An example of the ip source binding command is shown here HP Switch config ip source binding 0030c1 7f49c0 interface vlan 100 10 10 20 1 interface 4 Not e Note that the ip source binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings The Dynamic ARP Protection and Dynamic IP Lockdown features share a c...

Page 530: ... Dynamic ARP Protection To display the current configuration of dynamic ARP protection including the additional validation checks and the trusted ports that are configured enter the show arp protect command Syntax no arp protect validate src mac dst mac ip src mac Optional Drops any ARP request or response packet in which the source MAC address in the Ethernet header does not match the sender MAC ...

Page 531: ...tect statistics Command ARP Protection Information Enabled Vlans 1 4094 Validate dst mac src mac Port Trust 1 Yes 2 Yes 3 No 4 No 5 No HP Switch config show arp protect HP Switch config show arp protect statistics Status and Counters ARP Protection Counters for VLAN 1 Forwarded pkts 10 Bad source mac 2 Bad bindings 1 Bad destination mac 1 Malformed pkts 0 Bad IP address 0 Status and Counters ARP P...

Page 532: ...s spoofing on a per port and per VLAN basis When dynamic IP lockdown is enabled IP packets in VLAN traffic received on a port are forwarded only if they contain a known source IP address and MAC address binding for the port The IP to MAC address binding can either be statically configured or learned by the DHCP Snooping feature HP Switch config debug arp protect 1 ARP request is valid DARPP Allow ...

Page 533: ...e internal lists are dynamically created from known IP to MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address Prerequisite DHCP Snooping Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored...

Page 534: ...oved The port reverts back to switching traffic as usual Filtering IP and MAC Addresses Per Port and Per VLAN This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature Internal Dynamic IP lockdown bindings dynamically applied on a per port basis from information in the DHCP Snooping lease database and stati cally configured IP to MAC address bindings Pack...

Page 535: ...lockdown Operating Notes Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets which are handled by DHCP snooping DHCP snooping is a prerequisite for Dynamic IP Lockdown operation The following restrictions apply DHCP snooping ...

Page 536: ... on how to configure and use DHCP snooping see DHCP Snooping on page 11 2 After you enter the ip source lockdown command enabled globally with thedesiredportsenteredin port list thedynamicIPlockdownfeature remains disabled on a port if any of the following conditions exist If DHCP snooping has not been globally enabled on the switch If the port is not a member of at least one VLAN that is enabled ...

Page 537: ... enabled globally or on ports the bindings associated with the ports are written to hardware This occurs during these events Switch initialization Hot swap A dynamic IP lockdown enabled port is moved to a DHCP snooping enabled VLAN DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP lockdown is enabled on the ports Potential Issues with Bindings When dynamic IP lo...

Page 538: ... Dynamic IP Lockdown Configuration To display the ports on which dynamic IP lockdown is configured enter the show ip source lockdown status command at the global configuration level Syntax no ip source binding vlan id ip address mac address port number vlan id Specifies a valid VLAN ID number to bind with the specified MAC and IP addresses on the port in the DHCP binding database ip address Specif...

Page 539: ...play the static configurations of IP to MAC bindings stored in the DHCP lease database enter the show ip source lockdown bindings command Anexampleoftheshowipsource lockdownbindingscommandoutputisshown in Figure 11 6 Syntax show ip source lockdown bindings port number port number Optional Specifies the port number on which source IP to MAC address and VLAN bindings are configured in the DHCP lease...

Page 540: ...command To send command output to the active CLI session enter the debug destination session command Counters for denied packets are displayed in the debug dynamic ip lockdown command output Packet counts are updated every five minutes An example of the command output is shown in Figure 11 7 When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP to MAC addr...

Page 541: ... of 8 192 entries HP Switch config debug dynamic ip lockdown DIPLD 01 01 90 00 01 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 1 packets DIPLD 01 01 90 00 06 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 294 packets DIPLD 01 01 90 00 11 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 16 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 ...

Page 542: ...they both use the snooping database 3400 2800 32 bindings per port up to 512 manual bindings Up to 32 VLANs with DHCP snooping enabled This is not guaranteed as the hardware resources are shared with QoS 2610 8 bindings per port up to 512 manual bindings Globally 118 to 125 hosts Up to 8 VLANs with DHCP snooping enabled This is not guaranteed as the hardware resources are shared with IDM ACLs The ...

Page 543: ...ssive system resource usage resulting in insufficient resources for legitimate traffic login failures min The count of failed CLI login attempts or SNMP management authentication failures This indicates an attempt has been made to manage the switch with an invalid login or password Also it might indicate a network management station has not been configured with the correctSNMP authentication param...

Page 544: ... multiple messages are generated In the preceding example if a condition is reported 4 times persists for more than 15 minutes then alerts cease for 15 minutes If after 15 minutes the condition still exists the alerts cease for 30 minutes then for 1 hour 2 hours 4 hours 8 hours andafter thatthepersisting conditionis reported once a day As with other event log entries these alerts can be sent to a ...

Page 545: ...n events per minute discarded to help free CPU resources when busy Default threshold setting when enabled 100 med login failures The count of failed CLI login attempts or SNMP management authen tication failures per hour Default threshold setting when enabled 10 med mac address count The number of MAC addresses learned in the forwarding table You must enter a specific value in order to enable this...

Page 546: ...of the system delay parameter HP Switch config no instrumentation monitor system delay To adjust the alert threshold for the MAC address count to the low value HP Switch config instrumentation monitor mac address count low To adjust the alert threshold for the MAC address count to a specific value HP Switch config instrumentation monitor mac address count 767 To enable monitoring of learn discards...

Page 547: ...nstrumentation Monitor configuration is to use the show run command However the show run com mand output does not display the threshold values for each limit set HP Switch show instrumentation monitor configuration PARAMETER LIMIT mac address count 1000 med ip address count 1000 med system resource usage 50 med system delay 5 high mac moves min 100 med learn discards min 100 med ip port scans min ...

Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...

Page 549: ...ches in the above table or switches not listed here refer to the documentation provided for those switches Models Source Port Filters Protocol Filters Multicast Filters 8200zl Switches Yes Yes Yes 6600 Switches Yes Yes Yes 6400cl Switches Yes No No 5400zl Switches Yes Yes Yes 4200vl Switches Yes No No 3800 Switches Yes Yes Yes 3500 3500yl Switches Yes Yes Yes 3400cl Switches Yes No No 2800 Switche...

Page 550: ...gured Up to 8 with more than 1024 VLANs configured Protocol filters up to 7 Using Port Trunks with Filters The switch manages a port trunk as a single source or destination for source port filtering If you configure a port for filtering before adding it to a port trunk the portretains the filter configuration butsuspends the filtering action while a member of the trunk If you want a trunk to perfo...

Page 551: ... physical source port will be forwarded or dropped on a per port destination basis Multicast Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports the default or dropped on a per port destination basis Protocol Inbound traffic having the selected frame protocol type will be forwarded or dropped on a per port destination basis End Node A Server Switch 8212zl C...

Page 552: ...orts and or trunks the switch automatically forwards traffic to the outbound ports and or trunks you do not specifically configure to drop traffic Destination ports that comprise a trunk are listed collectively by the trunk name such as Trk1 instead of by individual port name Packets allowed for forwarding by a source port filter are subject to thesameoperationasinboundpacketsonaportthatisnotconfi...

Page 553: ...using this capability you can define a source port filter once and apply it to multiple ports and port trunks This can make it easier to configure and manage source port filters on your switch The commands to define configure apply and display the status of named source port filters are described below Switch Server A Port 7 Port 8 Server B Port 9 Server C Port 5 Workstation X This list shows the ...

Page 554: ... applied to any ports Defining and Configuring Named Source Port Filters Thenamedsource portfiltercommandoperatesfromtheglobalconfiguration level Syntax no filter source port named filter filter name Defines or deletes a named source port filter The filter name may contain a maximum of 20 alpha numeric characters longer names may be specified but they are not displayed A filter name cannot be a va...

Page 555: ...x filter source port named filter filter name drop destination port list Configures the named source port filter to drop traffic having a destination on the ports and or port trunks in the destination port list Can be followed by the forward option if you have other destination ports or port trunks previously set to drop that you want to change to forward For example filter source port named filte...

Page 556: ... where each filter entry includes a Filter Name Port List and Action Filter Name The filter name used when a named source port filter is defined Non named source port filters are automatically assigned the port or port trunk number of the source port Port List Lists the port and port trunk destinations using the filter Named source port filters that are not in use display NOT USED Action Lists the...

Page 557: ...port named filter accounting drop 1 6 8 9 12 26 HP Switch config filter source port named filter no incoming web drop 7 10 11 HP Switch config show filter source port Traffic Security Filters Filter Name Port List Action web only NOT USED drop 2 26 accounting NOT USED drop 1 6 8 9 12 26 no incoming web NOT USED drop 7 10 11 HP Switch Switch 2626 config Ports and port trunks using the filter When N...

Page 558: ...Source Port 9 8 Source Port 12 20 Source Port 24 21 Source Port 25 22 Source Port 26 23 Source Port 7 24 Source Port 10 25 Source Port 11 26 Source Port 1 Indicates the port number or port trunknameofthesourceportortrunk assigned to the filter An automatically assigned index number used to identify the filter for a detailed information listing A filter retains its assigned IDX number for as long a...

Page 559: ... Action 1 10 100TX Forward 2 10 100TX Drop 3 10 100TX Drop 4 10 100TX Drop 5 10 100TX Drop 6 10 100TX Drop 7 10 100TX Drop 8 10 100TX Drop 9 10 100TX Drop 10 10 100TX Drop 11 10 100TX Drop 12 10 100TX Drop HP Switch config show filter 24 Traffic Security Filters Filter Type Source Port Source Port 10 Dest Port Type Action 1 10 100TX Drop 2 10 100TX Drop 3 10 100TX Drop 4 10 100TX Drop 5 10 100TX D...

Page 560: ...ce Port Source Port 1 Dest Port Type Action 1 10 100TX Forward 2 10 100TX Forward 3 10 100TX Forward 4 10 100TX Forward 5 10 100TX Forward 6 10 100TX Forward 7 10 100TX Drop 8 10 100TX Forward 9 10 100TX Forward 10 10 100TX Drop 11 10 100TX Drop 12 10 100TX Forward Accounting Server 1 Port 7 Port 1 Router to the Internet Port 12 Accounting Workstation 3 Port 13 Accounting Workstation 4 Network Des...

Page 561: ...filters we first remove the existing source port filters on the port The named source port filters now manage traffic on the switch ports as shown below using the show filter source port command HP Switch config filter source port named filter accounting forward 8 12 13 HP Switch config filter source port named filter no incoming web drop 8 12 13 HP Switch config HP Switch config show filter sourc...

Page 562: ...e IGMP controlled filter overrides the static multicast filter configured on that port Note that in the default configuration IGMP is disabled on VLANs configured in the switch To enable IGMP on a specific VLAN use the vlan vid ip igmp command For more on this command refer to the chapter titled Multimedia Traffic Control with IP Multicast IGMP in the Multicast and Routing Guide for your switch Th...

Page 563: ...affic Security filters configured with a multicast filter type and a multicast address in this range will continue to be in effect unless IGMP learns of a multicast group destination in this range In this case IGMP takes over the filtering function for the multicast destination address es for as long as the IGMP group is active If the IGMP group subsequently deactivates the static filter resumes c...

Page 564: ...Configuring Traffic Security Filters Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify 1 Select the static filter type s 2 For inbound traffic matching the filter type determine the filter action you want for each outbound destination port on the switch forward or drop The default action for a new filt...

Page 565: ...p traffic for the ports and or trunks in the designated destination port list Can be followed by forward destination port list if you have other destination ports set to drop that you want to change to forward If no drop or forward action is specified the switch automatically creates a filter with a forward action from the designated source port or trunk to all destination ports or trunks on the s...

Page 566: ... 16 17 Configuring a Filter on a Port Trunk This operation uses the same command as is used for configuring a filter on an individual port However the configuration process requires two steps 1 Configure the port trunk 2 Configure a filter on the port trunk by using the trunk name trk1 trk2 trk6 instead of a port name For example to create a filter on port trunk 1 to drop traffic received inbound ...

Page 567: ...drop traffic received on port 8 and destined for ports 1 and 2 The resulting filter is shown on the left in figure 12 14 Later you update the filter to drop traffic received on port 8 and destined for ports 3 through 5 Since only one filter exists for a given source port the filter on traffic from port 8 appears as shown on the right in figure 12 14 The 5 shows that port 5 is configured for filter...

Page 568: ...address multicast address and returns the destination ports for that filter to the Forward action forward drop port list Specifies whether the designated destination port s should forward or drop the filtered traffic protocol ip ipx arp appletalk sna netbeui Specifies a protocol type Traffic received on any port with this protocol type will be filtered Default Forward on all ports The no form of t...

Page 569: ... if you then delete the filter using index number 2 and then configure two new filters the first new filter will receive the index number 2 and the second new filter will receive the index number 4 This is because the index number 2 was made vacant by the earlier deletion and was therefore the lowest index number available for the next new filter Filter Type Filter Value Action Destination Ports S...

Page 570: ... number for as long as the filter exists in the switch The switch assigns the lowest available IDX number to a new filter This can result in a newer filter having a lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing Filter Type Indicates the type of filter assigned to the IDX number source port multicast or protocol Value Indicates the port numb...

Page 571: ...how filter Traffic Security Filters IDX Filter Type Value 1 source port 1 2 source port 2 3 multicast 010000 123456 4 multicast 010000 224466 5 protocol Appletalk drop e 18 20 22 6 protocol Arp drop e 3 4 6 HP Switch config show filter 4 Traffic Security Filters Filter Type Multicast Multi cast Address 010000 224466 Dest Port Type Action 11000T Forward 21000T Forward 31000T Forward 41000T Forward ...

Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...

Page 573: ...hree RADIUS servers while allowing a given user to use the same entering valid user credentials for access from multiple points within the network General Features 802 1X on the switches covered in this guide includes the following Switch operation as both an authenticator for supplicants having a point to point connection to the switch and as a supplicant for point to point connections to other 8...

Page 574: ...2 1X authentication credentials for access to the switch The values configured can be stored in a configuration file using the include credentials command For infor mation about the password port access command see Do These Steps Before You Configure 802 1X Operation on page 13 13 On demand change of a port s configured VLAN membership status to support the current client session Session accountin...

Page 575: ... level security that allows LAN access only on ports where a single 802 1X capable client supplicant has entered authorized RADIUS user credentials For reasons outlined below this option is recommended for applications where only one client at a time can connect to the port Using this option the port processes all IP traffic as if it comes from the same client Thus in a topology where multiple cli...

Page 576: ...used instead of port based access control Using the user based method enables you to specify up to 32 authenticated clients Not e Port Based 802 1X can operate concurrently with Web Authentication or MAC Authentication on the same port However this is not a commonly used application and is not generally recommended For more information refer to the operating note on page 13 12 Alternative To Using...

Page 577: ...entication is used in which case the switch performs this function using its own username and password for authenticating a supplicant Authenticator In HP applications a switch that requires a supplicant to provide the proper credentials before being allowed access to the net work CHAP MD5 Challenge Handshake Authentication Protocol Client In this application an end node device such as a managemen...

Page 578: ...ged member of a VLAN 802 1X Open VLAN mode does not affect the port s access to the VLAN unless the port is statically configured as a member of a VLAN that is also configured as the Unauthorized Client or Authorized Client VLAN See also Untagged Membership in a VLAN Unauthorized Client VLAN A conventional static VLAN statically config ured on the switch It is used to provide access to a client pr...

Page 579: ...t 802 1q VLAN tagging A port can simultaneously have one untagged VLAN membership and multiple tagged VLAN memberships Depending on how you configure 802 1X Open VLAN mode for a port a statically configured untagged VLAN membership may become unavailable while there is a client session on the port See also Tagged Membership in a VLAN ...

Page 580: ...uest for the client 3 The switch responds in one of the following ways If 802 1X on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the client ii The client then provides identifying credentials such as a user certificate which the switch forwards to the RADIUS ser...

Page 581: ...en the switch assigns the port to the VLAN entered in the port s 802 1X configuration as an Authorized Client VLAN if configured c 3rd Priority If the port does not have an Authorized Client VLAN configured but does have a static untagged VLAN membership in its configuration then the switch assigns the port to this VLAN A port assigned to a VLAN by an Authorized Client VLAN configuration or a RADI...

Page 582: ...DIUS Assigned VLAN Authorized VLAN Configured Another Old Client Already Using Port Are All Old Clients On Unauthorized VLAN No No Yes Yes Assign New Client to RADIUS Specified VLAN Assign New Client toAuthorizedVLAN Configured on Port Assign New Client to Untagged VLAN Configured On Port Yes New Client VLAN Same As Old Client VLAN No Drop All Clients UsingUnauthorized VLAN No Reject New Client On...

Page 583: ...ured as an authenticator one authenticated client opens the port Other clients that are not running an 802 1X supplicant application can have access to the switch and network through the opened port If another client uses an 802 1X supplicant application to access the opened port then a re authentication occurs using the RADIUS configuration response for the latest client to authenticate To contro...

Page 584: ...low traffic to flow without authentication Refer to Configuring Switch Ports To Oper ate As Supplicants for 802 1X Connections to Other Switches on page 13 51 To help maintain security 802 1X and LACP cannot both be enabled on the same port If you try to configure 802 1X on a port already configured for LACP or the reverse you will see a message similar to the following Error configuring port X LA...

Page 585: ...s command is used to configure the operator username and password that are used as 802 1X credentials for networkaccesstotheswitch 802 1Xnetworkaccessisnotallowedunless a password has been configured using thepasswordport access command Figure 13 2 shows how to configure a local operator password for 802 1X access Syntax password port access user name name password Configures the operator username...

Page 586: ...forma tion on disabling LACP refer to the Note on page 13 18 To display the current configuration of 802 1X Web based and MAC authentication on all switch ports enter the show port access config command Figure 13 3 Example of show port access config Command Output HP Switch config password port access user name Jim secret3 HP Switch config show port access config Port Access Status Summary Port ac...

Page 587: ...pen VLAN Mode on page 13 32 5 For any port you want to operate as a supplicant determine the user credentials You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports This can also be the same local username password pair that you assign to the switch 6 Unless you are using only the switch s local username and password for 802 1X au...

Page 588: ... get network access Refer to page 13 18 2 If you want to provide a path for clients without 802 1X supplicant software to download the software so that they can initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 13 32 3 Configure the 802 1X authentication type Options include Local Operator username and password using th...

Page 589: ... device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches on page 13 51 Configuring Switch Ports as 802 1X Authenticators 802 1X Authentication Commands Page no aaa port access authenticator port list 13 18 auth vid clear statistics client limit control max requests initialize logoff period quiet period serv...

Page 590: ...rt the switch automatically dis ables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can configure it for 802 1X authentication A Enable the Selected Ports as Authenticators and Enable the Default Port Based Authentication Syntax no aaa port access authenticator port list Enables specified ports to operate as 802 1X au...

Page 591: ...t If a port currently has no authenticated client sessions the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session If another client session begins later on the same port while an earlier session is active the later session will be on the same untagged VLAN membership as the earlier session Note The client limi...

Page 592: ...ort based authentication which is the default setting for ports on which authentication is enabled Executing aaa port access authenticator port list enables 802 1X authenti cation on port list and enables port based authentica tion page 13 18 If a port currently has no authenticated client sessions the next authenticated client session the port accepts determines the untagged VLAN membership to wh...

Page 593: ...802 1X credentials or support 802 1X authentication You can still configure console Telnet or SSH security on the port auto the default The device connected to the port must support 802 1X authentication and provide valid credentials to get network access Optional You can use the Open VLAN mode to provide a path for clients without 802 1X supplicant software to down load this software and begin th...

Page 594: ...esponse to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication attempts that must time out before...

Page 595: ... to 802 1X Open VLAN Mode on page 13 32 aaa port access authenticator port list logoff period 1 999999999 Configures the period of time the switch waits for client activity before removing an inactive client from the port Default 300 seconds unauth period 0 255 Specifies a delay in seconds for placing a port on the Unauthorized Client VLAN This delay allows more time for a client with 802 1X suppl...

Page 596: ... aaa authentication port access chap radius eap radius local Configures local chap radius MD5 or eap radius as the primary password authentication method for port access The default pri mary authentication is local Refer to the documentation for your RADIUS server application For switches covered in this guide you must use the password port access command to configure the operator user name and pa...

Page 597: ...nd Accounting HP Switch config aaa authentication port access eap radius HP Switch config show authentication Status and Counters Authentication Information Login Attempts 3 Respect Privilege Disabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Local None Port Access EapRadius Webui Local None SSH Local None Web Auth ChapRadius None MAC Auth ChapRadius No...

Page 598: ...in the string It is not backward compatible the character is lost if you use a software version that does not support the character Syntax radius server key global key string Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server specific key This key is optional if all RADIUS server addresses configured in the switch include a ser...

Page 599: ...i cated state As documented in the IEEE 802 1X standard an 802 1X aware port that is unauthenticated can control traffic in either of the following ways In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames Only in the ingress direction by disabling only the reception of incoming frames Syntax aaa port access authenticator port...

Page 600: ...eeping workstation for example during early morning hours to perform routine maintenance operations such as patch management and software updates The aaa port access controlled direction in command allows Wake on LAN traffic to be transmitted on an 802 1X aware egress port that has not yet transitioned to the 802 1X authenticated state the controlled direction both setting prevents Wake on LAN tra...

Page 601: ... authenticator config command as shown in Figure 13 12 When an 802 1X authenticated port is configured with the controlled directions in setting eavesdrop prevention is not supported on the port Example Configuring 802 1X Controlled Directions The following example shows how to enable the transmission of Wake on LANtrafficintheegressdirectiononan802 1X awareportbeforeittransitions to the 802 1X au...

Page 602: ...enticated guests are removed from the port and the port becomes an untagged member of the client s untagged VLAN Characteristics of Mixed Port Access Mode The port keeps tagged VLAN assignments continuously The port sends broadcast traffic from the VLANs even when there are only guests authorized on the port Guests cannot be authorized on any tagged VLANs Guests can use the same bandwidth rate lim...

Page 603: ...1X Authenticators Configuring Mixed Port Access Mode Figure 13 8 Example of Configuring Mixed Port Access Mode Syntax no aaa port access port list mixed Enables or disables guests on ports with authenticated clients Default Disabled guests do not have access HP Switch config aaa port access 6 mixed ...

Page 604: ... process Note On ports configured to allow multiple sessions using 802 1X user based access control all clients must use the same untagged VLAN On a given port where there are no currently active authenticated clients the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent overlapping client sessions If the switch operates in an environment whe...

Page 605: ... VLAN entered in the port s 802 1X configuration as an Authorized Client VLAN if configured c 3rd Priority If the port does not have an Authorized Client VLAN configured but does have a static untagged VLAN membership in its configuration then the switch assigns the port to this VLAN A port assigned to a VLAN by an Authorized Client VLAN configuration or a RADIUS server will be an untagged member ...

Page 606: ...t statically configured as an untagged member of a VLAN you want clients to use or when the port is statically configured as an untagged member of a VLAN you do not want clients to use A port can be configured as untagged on only one port based VLAN When an Authorized Client VLAN is configured it will always be untagged and will block the port from using a statically configured untagged membership...

Page 607: ...the port already has a statically configured untagged membership in another VLAN then the port temporarily closes access to this other VLAN while in the Unauthorized Client VLAN To limit security risks the network services and access available ontheUnauthorized ClientVLANshouldincludeonlywhataclient needs to enable an authentication session If the port is statically configured as a tagged member o...

Page 608: ...on assigns a VLAN and there are no other authenticatedclientsontheport thentheportbecomesamember of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is connected If the port is statically configured as a tagged member of a VLAN andthisVLANisusedastheAuthorized ClientVLAN thentheport temporarily becomes an untagged member of this VLAN when the client becomes authentic...

Page 609: ... this assignment overrides any statically configured untagged VLAN membership on the port while the client is connected If the port is statically configured as a tagged member of a VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN Note that if the port is already configured as a ...

Page 610: ...ged member ofany other VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN then the port becomes an untagged member of that VLAN for the duration of the client connection Note A...

Page 611: ...isconnects from the port then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured After client authen tication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 13 33 TemporaryVLANMembershipDuring a Client Session Port membership in a VLAN assigned to operate as the Unautho...

Page 612: ...nticatedclientdisconnects theswitchremovesthe port from the Authorized Client VLAN and moves it back to the untagged membership in the statically configured VLAN After client authentication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 13 33 Note This rule assumes No alternate VLAN has been assigned by a RADIUS server No other...

Page 613: ...authentication can begin Switch with a Port Configured To Allow Multiple Authorized Client Sessions When a new client is authenticated on a given port If no other clients are authenticated on that port then the port joins one VLAN in the following order of precedence a A RADIUS assigned VLAN if configured b An Authenticated Client VLAN if configured c A static port based VLAN to which the port bel...

Page 614: ...s means that any client accessing a given port must be able to authenticate and operate on the same VLAN as any other previously authenticated clients that are currently using the port Thus an Unauthorized Client VLAN configured on a switch port that allows multiple 802 1X clients cannot be used if there is already an authenticated client using the port on another VLAN Also a client using the Unau...

Page 615: ...n untagged member of another VLAN the port s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port For example if i Port 5 is an untagged member of VLAN 1 the default VLAN ii You configure port 5 as an 802 1X authenticator port iii You configure port 5 to use an Authorized Client VLAN Then if a client connects to port 5 and is authenticated po...

Page 616: ...ticators The switch automatically disables LACP on the ports on which you enable 802 1X On the ports you will use as authenticators with VLAN operation ensure that the port control parameter is set to auto the default Refer to 1 Enable 802 1X Authentication on Selected Ports on page 13 18 This setting requires a client to support 802 1X authentication with 802 1X supplicant operation and to provid...

Page 617: ...er requires a different key than configured for the global encryption key The tilde character is allowed in the string It is not backward compatible the character is lost if you use a software version that does not support the character Syntax radius server key global key string Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a serve...

Page 618: ...Not e If you want to implement the optional port security feature on the switch you shouldfirstensurethattheportsyou haveconfiguredas802 1Xauthenticators operate as expected Then refer to Option For Authenticator Ports Configure Port Security To Allow Only 802 1X Authenticated Devices on page 13 49 After you complete steps 1 and 2 the configured ports are enabled for 802 1X authentication without ...

Page 619: ...or port list auth vid vlan id Configures an existing static VLAN to be the Authorized Client VLAN unauth vid vlan id Configures an existing static VLAN to be the Unautho rized Client VLAN HP Switch config aaa authentication port access eap radius Configures the switch for 802 1X authentication using an EAP RADIUS server HP Switch config aaa port access authenticator 10 20 Configures ports 10 20 as...

Page 620: ...eturns to tagged membership in VLAN X upon successful client authen tication This happens even if the RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VLAN X as anauthorizedVLAN then theportbecomesanuntaggedmemberofVLAN X for the duration of the client connection If there is no Authorized Client or RADIUS assigned VLAN then an authenticated client without tag...

Page 621: ... Authorize the port can allow access to a non authenticated client Port Security operates with 802 1X authentication only if the selected ports are configured as 802 1X with the control mode in the port access authenticator command set to auto the default setting For example if port A10 was at a non default 802 1X setting and you wanted to configure it to support the port security option you would...

Page 622: ...client limit sets 802 1X to user based operation on the specified ports When this limit is reached no further devices can be authenticated until a currently authenti cated device disconnects and the current delay period or logoff period has expired Configure the port access type Syntax aaa port access auth port list client limit 1 32 Configures user based 802 1X authentication on the specified por...

Page 623: ... configured for 802 1X supplicant operation You want to connect port 1 on switch A to port 5 on switch B Figure 13 10 Example of Supplicant Operation 1 When port A1 on switch A is first connected to a port on switch B or if the ports are already connected and either switch reboots port 1 begins sending start packets to port 5 on switch B 802 1X Authentication Commands page 13 17 802 1X Supplicant ...

Page 624: ...nse ID packet If switch B is configured for RADIUS authentication it forwards this request to a RADIUS server If switch B is configured for Local 802 1X authentication the authenticator compares the switch A response to its local username and password 2 The RADIUS server then responds with an MD5 access challenge that switch B forwards to port A1 on switch A 3 Port A1 replies with an MD5 hash resp...

Page 625: ...rd on the supplicant port Syntax no aaa port access supplicant ethernet port list Configures a port as a supplicant with either the default supp licant settings or any previously configured supplicant set tings whichever is most recent The no form of the command disables supplicant operation on the specified ports Syntax aaa port access supplicant ethernet port list To enable supplicant operation ...

Page 626: ...the supplicant port requests authentication See step 1 on page 13 51 for a description of how the port reacts to the authenticator response Default 3 held period 0 65535 Sets the time period the supplicant port waits after an active 802 1X session fails before trying to re acquire the authenticator port Default 60 seconds start period 1 300 Sets the delay between Start packet retransmissions That ...

Page 627: ...rt list detailed page 13 63 show port access supplicant page 13 68 Details of 802 1X Mode Status Listings page 13 64 RADIUS server configuration pages 13 25 Syntax show port access authenticator port list config statistics session counters vlan clients detailed If you enter the showport accessauthenticatorcommand with out an optional value the following configuration informa tion is displayed for ...

Page 628: ...n the port No No client specific CoS values are applied to any authenticated client on the port cos value Numerical value of the CoS 802 1p priority applied to inbound traffic from one authenticated client For client specific per port CoS values enter the showport accessweb basedclientsdetailed command Kbps In Limit Kbps of a port s bandwidth applied as an inbound rate limit to one authenticated c...

Page 629: ...4006 Yes 77777777 500000 Yes both 2 2 0 MACbased No No 500000 Yes both 3 4 0 1 Yes No 1000000 No both Syntax show port access authenticator config port list Displays 802 1X port access authenticator configuration settings including Whether port access authentication is enabled Whether RADIUS assigned dynamic VLANs are supported 802 1X configuration of ports that are enabled as 802 1X authenticator...

Page 630: ...thentication fails and the authentication session ends Quiet Period Period of time in seconds during which the port does not try to acquire a supplicant TX Timeout Period of time in seconds that the port waits to retransmit the next EAPOL PDU during an authentication session Supplicant Timeout Period of time in seconds that the switch waits for a supplicant response to an EAP request Server Timeou...

Page 631: ...ether RADIUS assigned dynamic VLANs are supported 802 1X supplicant s MAC address as determined by the content of the last EAPOL frame received on the port 802 1X traffic statistics from received and transmitted packets 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed HP Switch config show port access authenticator statistics Port Access ...

Page 632: ...ed on each port Duration and status of active 802 1X authentication sessions in progress or terminated User name of 802 1X supplicant included in 802 1X response packets configured with the aaa port access supplicantidentity username command see page 13 49 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed HP Switch config show port access ...

Page 633: ...n ticator Authentication mode used on each port configured with the aaaport accessauthenticatorcontrol command see page 13 21 VLAN ID if any to be used for traffic from 802 1X authenticated clients VLAN ID if any to be used for traffic from unauthenticated clients 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed HP Switch config show port...

Page 634: ...d through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If an 802 1X authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table n a no info is displayed HP Switch config show port access authenticator cl...

Page 635: ...ADIUS server HP Switch config show port access authenticator clients 5 detailed Port Access Authenticator Client Status Detailed Client Base Details Port 5 Session Status Open Session Time sec 999999999 Frames In 999999999 Frames Out 99999999 Username webuser1 MAC Address 001321 eb8063 IP 2001 fecd ba23 cd1f dcb1 1010 9234 4088 Access Policy Details COS Map 70000000 In Limit 87 Untagged VLAN 3096 ...

Page 636: ... activated No No Authenticator Authenticator Current Current Curr Rate Port Status State Backend State VLAN ID Port COS Limit Inbound 1 Closed Connecting Idle 100 No override No override 2 Open Authorized Idle 101 No override No override 3 Closed Connecting Idle 100 No override No override 4 Closed Connecting Idle No PVID No override No override In these two show outputs an Unauth VLAN ID appearin...

Page 637: ...an authenticated 802 1X client is attached to the port Table 13 1 Output for Determining Open VLAN Mode Status Figure 13 18 Upper Status Indicator Meaning Access Control This state is controlled by the following port access command syntax HP Switch config aaa port access authenticator port list control authorized auto unauthorized Auto Configures the port to allow network access to any connected d...

Page 638: ...supplicant is connected to the port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Current Port CoS Refer to the section describing RADIUS support for Identity Driven Management IDM in chapter 6 RADIUS Authentication Authorization and Accounting in this guide Curr Rate Limit Inbound Syntax...

Page 639: ...tagged Learn Up 2 Untagged Learn Up 3 Untagged Learn Up 4 Untagged Learn Up 2 Untagged Learn Up 4 Untagged Learn Up 23 Untagged Learn Up 24 Untagged Learn Up Overriden Port VLAN configuration Port Mode 1 Untagged 3 Untagged Note that ports 1 and 3 are not in the upper listing but are included under Overridden Port VLAN configuration This shows that static untagged VLAN memberships on ports 1 and 3...

Page 640: ...ction statistics it most recently received until one of the above events occurs Also if you move a link with an authenticator from one Syntax show port access supplicant port list statistics show port access supplicant port list Shows the port access supplicant configuration excluding the secret parameter for all ports or port list ports configured on the switch as supplicants The Supplicant State...

Page 641: ...bed below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not already configured as an untagged member of the static VLAN specified by the RADIUS server then the switch temporarily assignsport N asanuntaggedmemberoftherequiredVLAN fortheduration of the 802 1X session At the same time if port N ...

Page 642: ...rt is temporarily assigned as a member of an untagged static or dynamic VLAN for use during the client session according to the follow ing order of options a The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication b If RADIUS authentication does not include assigning the port to a VLAN then the switch assigns the port to the authorized client VLAN conf...

Page 643: ... server For information on how to enable the switch to dynamically create 802 1Q compliant VLANs on links to other devices using the GARP VLAN RegistrationProtocol GVRP seethechapteron GVRP intheAdvanced Traffic Management Guide For an authentication session to proceed a port must be an untagged member of the static or dynamic VLAN assigned by the RADIUS server or an authorized client VLAN configu...

Page 644: ...y active client session Therefore on a port where one or more authenticated client sessions are already running all such clients are on the same untagged VLAN If a RADIUS server subsequently authenticates a new client but attempts to re assign the port to a different untagged VLAN than the one already in use for the previously existing authenticated client sessions the connec tion for the new clie...

Page 645: ... 2 loses access to VLAN 33 for the duration of the 802 1X session on VLAN 22 You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command as shown in Figure 13 21 HP Switch config show vlan 22 Status and Counters VLAN Information VLAN 22 VLAN ID 22 Name vlan 22 Status Static Voice No Jumbo No Port Information Mode Unknown VLAN Status 1 Tagged Learn Up 2 802 1X Learn ...

Page 646: ...rt A2 After the 802 1X Session Ends HP Switch config show vlan 33 Status and Counters VLAN Information VLAN 33 VLAN ID 33 Name VLAN_33 Status Static Voice No Jumbo No Port Information Mode Unknown VLAN Status 4 Tagged Learn Up Overriden Port VLAN configuration Port Mode 2 Untagged Even though port 2 is configured as Untagged on static VLAN 33 see figure 13 20 it does not appear in the VLAN 33 list...

Page 647: ...agement Guide Notes 1 If a port is assigned as a member of an untagged dynamic VLAN the dynamic VLAN configuration must exist at the time of authentication and GVRP for port access authentication must be enabled on the switch If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch the authentication fails 2 After you enable ...

Page 648: ...se the temporary VLAN assignment Re activates and resumes advertising the temporarily disabled VLAN assignment 3 If you disable the use of dynamic VLANs in an authentication session using the noaaaport accessgvrp vlans command client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated This behavior differs form how static VLAN assignment is handled in an authe...

Page 649: ...cannot be used MAC Lockdown Page 14 23 This feature also known as Static Addressing is used to prevent station movement and MAC address hijack ing by allowing a given MAC address to use only an assigned port on the switch MAC Lockdown also restricts the client device to a specific VLAN See also the Note above MAC Lockout Page 14 31 This feature enables you to block a specific MAC address so that t...

Page 650: ...f security violations Once port security is configured you can then monitor the network for security violations through one or more of the following Alert flags that are captured by network management tools such as HP E PCM Plus Alert Log entries in the WebAgent Event Log entries in the console interface Intrusion Log entries in the menu interface CLI or WebAgent For any port you can configure the...

Page 651: ...uide for your switch Port Access Allows only the MAC address of a device authenticated through the switch s 802 1X Port Based access control Refer to chapter 13 Configuring Port Based and User Based Access Control 802 1X For configuration details refer to Configuring Port Security on page 14 12 Eavesdrop Prevention Configuring port security on a given switch port automatically enables Eaves drop P...

Page 652: ...c with unknown destination addresses normally Port access Disabling Eavesdrop Prevention is not applied to the port There is no change Limited continuous When Eavesdrop Prevention is disabled the port transmits packets that have unknown destination addresses The port is secured MAC addresses age normally Eavesdrop Prevention may cause difficulties in learning MAC addresses as with static MAC addre...

Page 653: ...port will be scrambled hpSecurePortEntry 5 Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected the switch security measures block unauthorized traffic without disabling the port This implementation enables you to apply the security configuration to ports on which hubs switches or other devices are connected and to maintain secur...

Page 654: ...n Ports configured for either Active or Passive LACP and which are not members of a trunk can be configured for port security Switch A Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A PC 2 MAC Address NOT Authorized by Switch A PC 3 MAC Address NOT Authorized by Switch A Switch C MAC Address NOT Authorized by Switch A Switch A Port Securi...

Page 655: ...ion alarms to an SNMP management station and to 2 option ally disable the port on which the intrusion was detected d How do you want to learn of the security violation attempts the switch detects You can use one or more of these methods Through network management That is do you want an SNMP trap sent to a net management station when a port detects a security violation attempt Through the switch s ...

Page 656: ... Use the global configuration level to execute port security configuration commands Port Security Display Options You can use the CLI to display the current port security settings and to list the currently authorized MAC addresses the switch detects on one or more ports show port security 14 9 show mac address 14 10 port security 14 12 port list 14 12 learn mode 14 12 address limit 14 15 mac addre...

Page 657: ... The following example lists the full port security configuration for a single port Syntax show port security show port security port number show port security port number port number port number The CLI uses the same command to provide two types of port security listings All ports on the switch with their Learn Mode and alarm Action Only the specified ports with their Learn Mode Address Limit ala...

Page 658: ...itch config show port security 1 3 6 8 Listing Authorized and Detected MAC Addresses Syntax show mac address port list mac address vlan vid Without an optional parameter show mac address lists the authorized MAC addresses that the switch detects on all ports mac address Lists the specified MAC address with the port on which it is detected as an authorized address port list Lists the authorized MAC...

Page 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...

Page 660: ...revention on page 14 3 continuous Default Appears in the factory default setting or when you executenoport security Allows the port to learn addresses from the device s to which it is connected In this state the port accepts traffic from any device s to which it is connected Addresses learned in the learn continuous mode will age out and be automatically deleted if they are not used regularly The ...

Page 661: ...s but use mac addressto specify only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses it detects If for example You use mac address to authorize MAC address 0060b0 880a80 for port 4 You use address limit to allow three devices on port 4 and the port detects these MAC addresses 1 080090 136...

Page 662: ...d and User Based Access Control 802 1X configured Must specify which MAC addresses are allowed for this port Range is 1 default to 8 and addresses are not ageable Addresses are saved across reboots limited continuous Also known as MAC Secure or limited mode The limited parameter sets a finite limit to the number of learned addresses allowed per port You can set the range from 1 the default to a ma...

Page 663: ...nt and Configuration Guide for your switch To set the learn mode to limited use this command syntax port security port list learn mode limited address limit 1 32 action none send alarm send disable The default address limit is 1 but may be set for each port to learn up to 32 addresses The default action is none To see the list of learned addresses for a port use the command show mac port list addr...

Page 664: ...ed do not age out See also Retention of Static Addresses on page 14 17 action none send alarm send disable Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device or when Learn Mode is set to continuous and there is an address change on a port none Prevents an SNMP trap from being sent none is the default v...

Page 665: ...ig file and the running config file by exe cuting the write memory command The port learns a MAC address after you configure the port for Static learn mode in only the running config file and after the address is learned you execute write memory to configure the startup config file to match the running config file To remove an address learned using either of the preceding methods do one of the fol...

Page 666: ...send disable The next example does the same as the preceding example except that it specifies a MAC address of 0c0090 123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device HP Switch config port security 1 learn mode static mac address 0c0090 123456 action send disable This example configures port 5 to Allow two MAC ...

Page 667: ... Example of Adding an Authorized Device to a Port With the above configuration for port A1 the following command adds the 0c0090 456456 MAC address as the second authorized address HP Switch config port security a1 mac address 0c0090 456456 After executing the above command the security configuration for port A1 would be The Address Limit has not been reached AlthoughtheAddress Limit is set to 2 o...

Page 668: ... Addresses list is already full as controlled by the port s current Address Limit setting then you must increase the Address Limit in order to add the device even if you want to replace one device with another Using the CLI you can simultaneously increase the limit and add the MAC address with a single command For example suppose port 1 allows one authorized device and already has a device listed ...

Page 669: ...t also reducing the Address Limit by 1 the port may subsequently detect and accept as authorized a MAC address that you do not intend to include in your Authorized Address list Thus if you use the CLI to remove a device that is no longer authorized it is recommended that you first reduce the Address Limit address limit integer by 1 as shown below This prevents the possibility of the same device or...

Page 670: ...Figure 14 10 Example of Port 1 After Removing One MAC Address When removing 0c0090 123456 first reducetheAddressLimitby1toprevent the port from automatically adding another device that it detects on the network HP Switch config show port security 1 Port Security Port 1 Learn Mode Continuous StaticAddress Limit 1 2 Action None None Eavesdrop Prevention Enabled Enabled Authorized Addresses 0c0090 12...

Page 671: ...not specify a VLAN ID VID the switch inserts a VID of 1 How It Works When a device s MAC address is locked down to a port typically in a pair with a VLAN all information sent to that MAC address must go through the locked down port If the device is moved to another port it cannot receive data Traffic to the designated MAC address goes only to the allowed port whether the device is connected to it ...

Page 672: ... but will not receive data if that data must go through the locked down switch Please note that if the device moves to a distant part of the network where data sent to its MAC address never goes through the locked down switch it may be possible for the device to have full two way communication For full and complete lockdown network wide all switches must be configured appropriately Other Useful In...

Page 673: ...h ports they are allowed to use only one port per MAC Address on the same switch in the case of MAC Lockdown You can still use the port for other MAC addresses but you cannot use the locked down MAC address on other ports Using only port security the MAC Address could still be used on another port on the same switch MAC Lockdown on the other hand is a clear one to one relationship between the MAC ...

Page 674: ...messages in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a mes...

Page 675: ...s The purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MA...

Page 676: ...data can travel to Server A You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the edge switches That way users on the edge can still use other network resources but they cannot spoof Server A and hijack data traffic which is intended for that server alone 3800 Switch 8212zl Switch 8212zl Switch 3800 Switch Internal Core Network...

Page 677: ...ge any traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect agains...

Page 678: ...re would defeat the purpose of using MSTP or having an alternate path Technologies such as MSTP or meshing are primarily intended for an inter nal campus network environment in which all users are trusted MSTP and meshing do not work well with MAC Lockdown If you deploy MAC Lockdown as shown in the Model Topology in figure 14 11 page 14 28 you should have no problems with either security or connec...

Page 679: ...se the MAC Lockout command on all switches To use MAC Lockout you must first know the MAC Address you wish to block How It Works Let s say a customer knows there are unauthorized wireless clients whoshouldnothaveaccess to thenetwork The networkadministrator locks out the MAC addresses for the wireless clients by using the MAC Lockout command lockout mac mac address When the wireless clients then a...

Page 680: ...as a drop As this can quickly fill the MAC table restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured There are limits for the number of VLANs Multicast Filters and Lockout MACs that can be configured concurrently as all use MAC table entries The limits are shown below Table 14 13 Limits on Lockout MACs VLANs Configured Number of MAC Lockout Addres...

Page 681: ...op access from known devices because it can be configured for all ports on the switch with one command It is possible to use MAC Lockout in conjunction with port security You can use MAC Lockout to lock out a single address deny access to a specific device but still allow the switch some flexibility in learning other MAC Addresses Be careful if you use both together however If a MAC Address is loc...

Page 682: ... the following ways to notify you The switch sets an alert flag for that port This flag remains set until You use either the CLI menu interface or WebAgent to reset the flag The switch is reset to its factory default configuration The switch enables notification of the intrusion through the following means In the CLI The show port security intrusion log command displays the Intrusion Log The log c...

Page 683: ... intrusion at the top of the listing You cannot delete Intrusion Log entries unless you reset the switch to its factory default configuration Instead if the log is filled when the switch detects a new intrusion the oldest entry is dropped off the listing and the newest entry appears at the top of the listing Keeping the Intrusion Log Current by Resetting Alert Flags When a violation occurs on a po...

Page 684: ...setting Alert Flags The following commands display port status including whether there are intrusion alerts for any port s list the last 20 intrusions and either reset the alert flag on all ports or for a specific port for which an intrusion was detected The record of the intrusion remains in the log For more information refer to Operating Notes for Port Security on page 14 39 In the following exa...

Page 685: ...that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset To clear the intrusion from port A1 and enable the switch to enter any subsequentintrusionforportA1intheIntrusionLog executetheport security clear intrusion flag command If you then re display the port status screen you HP Switch config show int brief Status and Counters Port Status Intrusion MDI ...

Page 686: ...4 35 Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as W MM DD YY HH MM SS FFI port 3 Security Violation where W is the severity level of the log entry and FFI is the system module that generated the entry For further information display the Intrusion Log as shown below From the CLI Type the log command from the Manager or Configuration level Syntax log s...

Page 687: ...ou are using the WebAgent through a switch port configured for Static port security and your browser access is through a proxy web server then it is necessary to do the following Enter your PC or workstation MAC address in the port s Authorized Addresses list Enter your PC or workstation s IP address in the switch s IP Authorized Managers list See Using Authorized IP Managers in the Management and...

Page 688: ...ns that even if an entry is forced off of the Intrusion Log no new intrusions can be logged on the port referenced in that entry until you reset the alert flags LACP Not Available on Ports Configured for Port Security To main tain security LACP is not allowed on ports configured for port security If you configure port security on a port on which LACP active or passive is configured the switch remo...

Page 689: ...deviceby invoking anyother access security features If the Authorized IP Managers feature disallows access to the device then access is denied Thus with authorized IP managers config ured having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch s Authorized IP Managers configuration You can use A...

Page 690: ...15 2 Using Authorized IP Managers Overview Not e When no Authorized IP manager rules are configured the access method feature is disabled that is access is not denied ...

Page 691: ...ment access to the switch even though a duplicate IP address condition exists For these reasons you should enhance your network s security by keepingphysicalaccesstotheswitchrestrictedtoauthorizedpersonnel using the username password and other security features available in the switch and preventing unauthorized access to data on your management stations Access Levels Foreachauthorizedmanageraddre...

Page 692: ...P Entry on page 15 11 To configure the switch for authorized manager access enter the appropriate Authorized Manager IP value specify an IP Mask and select either Manager or Operator for the Access Level The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage ment station Not e If the management VLAN is configured access can only be on t...

Page 693: ...nu Viewing and Configuring IP Authorized Managers Only IPv4 is supported when using the menu to set the management access method From the console Main Menu select 2 Switch Configuration 6 IP Authorized Managers Figure 15 1 Example of How to Add an Authorized Manager Entry HP Switch 22 Apr 2008 20 17 53 CONSOLE MANAGER MODE Switch Configuration IP Managers Authorized Manager IP IP Mask Access Level...

Page 694: ...e switch For example HP Switch 22 Apr 2008 20 17 53 CONSOLE MANAGER MODE Switch Configuration IP Managers Authorized Manager IP 10 10 245 3 IP Mask 255 255 255 255 255 255 255 255 Access Level Operator Access Method ssh Actions Back Add Edit Delete Help Enter an Authorized Manager IP address here Use the default mask to allow access by one management device or edit the mask to allow access by a bl...

Page 695: ...6 authorized managers ip address ip mask access manager operator access method all ssh telnet web snmp tftp Configures one or more authorized IP addresses access manager operator Configures the privilege level for ip address Applies only to access through telnet SSH SNMPv1 SNMPv2c and SNMPv3 Default manager access method all ssh telnet web snmp tftp Configures access levels by access method and IP...

Page 696: ...s the Manager access To Edit an Existing Manager Access Entry To change the mask or access level for an existing entry use the entry s IP address and enter the new value s Notice that any parameters not included in the command will be set to their default HP Switch config ip authorized managers 10 28 227 101 255 255 255 0 access operator The above command replaces the existing mask and access leve...

Page 697: ...ree click on Security 2 Click on IP Authorization 3 Click on Add Address to add an IP Authorized Manager Enter the appro priate parameter settings for the operation you want 4 To delete an IP authorized Manager select the Authorized Address and click on Delete 5 To change IP Authorization parameters click on Change in the IP Autho rization Details box Enter the information and click on Save Figure...

Page 698: ...the authorized station 2 If you don t need proxy server access on the authorized station disable the proxy server feature in the station s web browser interface Not e IP or MAC authentication can be used without a web proxy server Using a Web Proxy Server to Access the WebAgent C a u t i o n This is NOT recommended Using a web proxy server between the stations and the switch poses a security risk ...

Page 699: ...P mask to the IP address you specify to determine a range of authorized IP addresses for management access As described above that range can be as small as one IP address if 255 is set for all octets in the mask or can include multiple IP addresses if one or more octets in the mask are set to less than 255 If a bit in an octet of the mask is on set to 1 then the corresponding bit in the IP address...

Page 700: ...esponding IP address is allowed However the zero 0 in the 4th octet of the mask allows any value between 0 and 255inthatoctetofthecorrespondingIPaddress Thismaskallowsswitch access to any device having an IP address of 10 28 227 xxx where xxx is any value from 0 to 255 Authorized Manager IP 10 28 227 125 IP Mask 255 255 255 249 In this example figure 15 8 below the IP mask allows a group of up to ...

Page 701: ... authorized to access the switch The first three octets of the station s IP address must match the Authorized IP Address Bit 0 and Bits 3 through 6 of the 4th octet in the station s address must be on value 1 Bit 7 of the 4th octet in the station s address must be off value 0 Bits 1 and 2 can be either on or off This means that stations with the IP address 13 28 227 X where X is 121 123 125 or 127...

Page 702: ...ts Web Proxy Servers If you use the WebAgent to access the switch from an authorized IP manager station it is recommended that you avoid the use of a web proxy server in the path between the station and the switch This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list This reduces security by opening switch access...

Page 703: ...ned to configure and maintain key chains A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request A protocol instance is usually an interface on which the protocol is running Terminology Key Chain A key or set of keys ass...

Page 704: ...e level of security required for the protocol to which the key entry will be assigned 3 Assign the key chain to a KMS enabled protocol This procedure is protocol dependent For information on a specific protocol refer to the chapter covering that protocol in the Management and Configu ration Guide for your switch Creating and Deleting Key Chain Entries To use the Key Management System KMS you must ...

Page 705: ...ax no key chain chain_name Generate or delete a key chain entry Using the optional no form of the command deletes the key chain The chain_name parameter can include up to 32 characters show key chain Displays the current key chains on the switch and their overall status Syntax no key chain chain_name key key_id Generates or deletes a key in the key chain entry chain_name Using the optional no form...

Page 706: ...ey to be accepted at any time from boot up until the key is removed send lifetime infinite Allows the switch to send this key as authorization from boot up until the key is removed show key chain chain_name Displays the detail information about the keys used in the key chain named chain_name HP Switch config key chain HP Switch1 key1 HP Switch config show key chain HP Switch1 Chain HP Switch1 Key ...

Page 707: ...time of the valid period in which the switch can use this key to authenticate inbound packets duration mm dd yy yy hh mm ss seconds Specifies the time period during which the switch can use this key to authenticate inbound packets Duration is either an end date and time or the number of seconds to allow after the start date and time which is the accept lifetime setting send lifetime mm dd yy yy hh...

Page 708: ...because either their key has expired while in transport or there are significant time variations between switches To list the result of the commands in figure 16 3 HP Switch config key chain HP Switch2 key 1 accept lifetime 01 17 03 8 00 00 01 18 11 8 10 00 send lifetime 01 17 03 8 00 00 01 18 11 8 00 00 HP Switch config key chain HP Switch2 key 2 accept lifetime 01 18 03 8 00 00 duration 87000 se...

Page 709: ...ain HP Switch2 Chain HP Switch2 Key Accept Start GMT Accept Stop GMT Send Start GMT Send Stop GMT 1 01 17 03 08 00 00 01 18 03 08 10 00 01 17 03 08 00 00 01 18 03 08 00 00 2 01 18 03 08 00 00 01 19 03 08 10 00 01 18 03 08 00 00 01 19 03 08 00 00 3 01 19 03 08 00 00 01 20 03 08 10 00 01 19 03 08 00 00 01 20 03 08 00 00 4 01 20 03 08 00 00 01 21 03 08 10 00 01 20 03 08 00 00 01 21 03 08 00 00 5 01 2...

Page 710: ... not expire HP Switch2 uses time dependent keys which result in this data Keys 4 and 5 are either not yet active or expired The total number of keys is 5 Expired 1 Key 1 has expired because its lifetime ended at 8 10 on 01 18 03 the previous day Active 2 Key 2 and 3 are both active for 10 minutes from 8 00 to 8 10 on 1 19 03 ...

Page 711: ...36 delay Unauth Client VLAN 13 23 DHCP server 13 41 display all 802 1X Web and MAC authentication configuration 4 13 displaying 802 1X port configuration 13 57 13 58 13 59 13 60 13 61 EAP 13 2 EAPOL 13 5 13 59 eap radius 13 24 enabling controlled directions 13 27 on ports 13 18 on switch 13 26 features 13 1 force authorized 13 21 13 65 force unauthorized 13 21 13 65 general setup 13 13 guest VLAN ...

Page 712: ...ver timeout 13 22 show commands 13 55 show commands supplicant 13 68 statistics 13 55 supplicant client not using 13 37 configuring switch port 13 53 enabling switch port 13 53 identity option 13 53 secret 13 53 switch port operating as 13 51 supplicant state 13 68 supplicant statistics note 13 68 supplicant configuring 13 51 supplicant timeout 13 22 terminology 13 4 traffic flow on unathenticated...

Page 713: ...0 73 extended configure 10 74 numbered configure 10 75 IPX 10 31 mask CIDR 3 24 removing from a VLAN 10 81 wildcard defined 7 14 ACL connection rate See connection rate filtering ACL IPv4 802 1X client limit 10 18 802 1X port based not recommended 10 18 802 1X effect on 10 18 ACE after match not used 10 32 10 45 defined 10 8 general rules 10 48 insert in list 10 88 limit 10 33 minimum number 10 12...

Page 714: ...10 7 10 60 named configure 10 61 numeric I D range 10 41 protocol options 10 41 remark 10 7 10 60 resequence 10 6 10 60 sequence number 10 6 10 59 structure 10 43 use 10 13 features common to all 10 22 filter rule when RACL VACL and or port ACL all apply 10 20 filtering methods 10 13 filtering process 10 27 10 32 hit count See statistics ACE host option 10 38 ICMP code 10 79 configure 10 79 option...

Page 715: ...d from trunk 10 34 port based 802 1X 10 18 port based security 10 18 ports affected 10 34 precedence 10 23 10 78 precedence numbers and names 10 65 purpose 10 2 RACL configure 10 7 defined 10 3 inbound traffic 10 10 operation defined 10 13 RACL applications 10 14 screening switched traffic 10 20 RACL outbound traffic not filtered 10 128 RADIUS server support 7 1 RADIUS assigned 10 3 10 4 10 9 10 1...

Page 716: ...tch 10 35 types filtered 10 2 traffic types filtered 10 29 troubleshooting 10 117 troubleshooting client authentication 7 20 trunk 10 34 adding port 10 34 type 10 46 10 51 10 89 10 97 10 100 user based 802 1X 10 18 user based security 10 18 VACL configure 10 7 defined 10 3 operation defined 10 14 VACL applications 10 16 VLAN ACL IPv4 See VACL VLANs 10 33 where applied to traffic 10 25 10 34 wildca...

Page 717: ...15 9 configuring in console 15 5 definitions of single and multiple 15 4 effect of duplicate IP addresses 15 14 IP mask for multiple stations 15 11 IP mask for single station 15 11 IP mask operation 15 4 manager operator 15 7 operating notes 15 14 overview 15 1 troubleshooting 15 14 authorized server 11 4 authorized server address configuring 11 7 authorized option for authentication 6 10 13 24 au...

Page 718: ...d host 3 6 routed traffic 3 9 sensitivity level 3 4 3 7 sensitivity level changing 3 16 sensitivity level command 3 10 show command 3 14 3 15 signature recognition 3 1 3 2 SNMP trap 3 4 throttle 3 4 3 5 3 11 trigger 3 3 3 6 3 9 unblock command 3 8 3 16 unblocking a host 3 6 VLAN delete effect 3 6 worm 3 1 3 2 console authorized IP managers configuring 15 5 control bits TCP 10 69 CoS configuring fo...

Page 719: ...curity 1 7 SNMP access 1 14 SNMP access to the security MIB open 6 30 SNMP public unrestricted 1 5 source port filters none 12 2 spanning tree bpdu filtering none 1 9 bpdu protection none 1 9 SSH disabled 1 4 8 1 SSL disabled 1 5 9 1 TACACS authentication configuration 5 8 authentication disabled 1 5 5 1 login attempts 3 5 5 tacacs server timeout 5 seconds 5 23 TCP port number for SSH connections ...

Page 720: ...archy of precedence in authentication sessions 1 18 overview 1 16 dynamic IP lockdown debugging 11 30 DHCP binding database 11 24 DHCP leases 11 24 DHCP snooping 11 23 enabling 11 25 filtering IP addresses 11 24 overview 11 22 platform differences 11 31 spoofing protection 11 23 verifying configuration 11 28 VLAN binding 11 24 dynamic port ACL See RADIUS assigned ACL dyn autz port 6 18 E eavesdrop...

Page 721: ... credentials interface unknown vlans command 13 75 intrusion alarms entries dropped from log 14 40 event log 14 38 prior to 14 40 Intrusion Log prior to 14 37 IP address count 11 33 authorized IP managers 15 1 reserved port numbers 8 19 IP attribute 6 49 IP masks building 15 11 for multiple authorized manager stations 15 11 for single authorized manager station 15 11 operation 15 4 IP routing dyna...

Page 722: ...2 overview 1 6 port access 13 2 reauthentication client 4 63 restrictive filter 4 63 rules of operation 4 10 show status and configuration 4 65 terminology 4 9 unauth redirect command 4 59 4 60 unconfigure registration server 4 64 web registration 4 59 MAC Lockdown 14 1 MAC lockout 14 1 number of vlans 14 32 manager password 2 2 2 4 2 5 recommended 5 6 saving to configuration file 2 12 MD5 See RAD...

Page 723: ...o configuration file 2 12 PCM 7 2 See HP E PCM Plus peap mschapv2 6 10 port security configuration 14 1 trusted 11 17 untrusted 11 19 11 27 port access client limit 13 19 13 20 concurrent 13 19 13 20 MAC authentication 13 2 tracking client authentication failures 11 33 Web authentication 13 2 Web MAC 13 19 13 20 See also 802 1X access control port ACL 10 3 port monitoring ACL 10 14 port scan detec...

Page 724: ...s 6 70 dynamic port ACL 7 13 dyn autz port 6 18 Egress VLAN ID attribute 6 44 Egress VLAN Name attribute 6 44 Framed IP Address 6 49 general setup 6 5 HP acct terminate cause attribute 6 45 HP Command Exception 6 38 HP command string 6 38 IP attribute 6 49 IPv4 ACL 7 1 IPv6 ACL 7 1 local authentication 6 12 login privilege mode application options 6 13 login privilege mode 6 12 manager access deni...

Page 725: ...efined 7 13 resource monitor 7 42 source routing caution 7 17 standard attribute 7 23 static port ACL 7 13 switched packets 7 20 terminology 7 11 terms 7 11 vendor specific attribute 7 23 7 24 wildcard 7 12 7 14 wildcard defined 7 14 See also ACLs radius server host key with tilde character 4 16 key with tilde character 4 16 oobm 4 16 rate limiting 11 34 ACL 10 11 override 7 6 13 64 RADIUS adminis...

Page 726: ...s not supported in download ed file 2 21 snooping authorized server 11 4 authorized server address 11 7 binding database 11 11 changing remote id 11 10 DHCP 11 2 disable MAC check 11 10 Option 82 11 4 11 8 statistics 11 5 untrusted policy 11 9 verify 11 4 source port filters configuring 12 3 named 12 5 operating rules 12 3 See also named source port filters selection criteria 12 3 source routing c...

Page 727: ...ificate 9 7 9 10 generate server host certificate 9 7 generating Host Certificate 9 6 host key pair 9 7 key babble 9 10 key fingerprint 9 10 man in the middle spoofing 9 13 OpenSSL 9 1 operating notes 9 5 operating rules 9 5 passwords assigning 9 6 prerequisites 9 4 remove self signed certificate 9 7 remove server host certificate 9 7 reserved TCP port numbers 9 15 root 9 3 root certificate 9 3 se...

Page 728: ... on 5 4 tacacs oobm 5 18 TACACS key string with tilde character 5 20 TCP reserved port numbers 9 15 TCP control bits 10 69 TCP UDP monitoring packets to closed ports 11 33 test 5 17 TLS See RADIUS troubleshooting authentication via Telnet 5 17 authorized IP managers 15 14 trunk filter source port 12 2 12 18 LACP 802 1X not allowed 13 18 port added or removed ACL 10 34 See also LACP trusted port 11...

Page 729: ...rent with MAC 4 3 configuration commands 4 19 configuring access control on unauthenticated ports 4 20 controlled directions 4 20 on the switch 4 18 switch for RADIUS access 4 15 display all 802 1X Web and MAC authentication configuration 4 13 13 14 general setup 4 12 hierarchy of precedence in authentication session 1 17 LACP not allowed 4 12 overview 1 6 port access 13 2 redirect URL 4 9 rules o...

Page 730: ...20 Index ...

Page 731: ......

Page 732: ...subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP will not be liable for technical or editorial errors or omissions contained herein September 2011 Manual Part Number 5998 2709 ...

Reviews: