Home
/
HP
/
HP ProCurve Series 6600
/
Access Security Manual

HP HP ProCurve Series 6600, Access Security Manual, Page: 577 / 778

Share

Page: 577 / 778

HP HP ProCurve Series 6600 Access Security Manual Download Page 577

11-27

Configuring Advanced Threat Protection

Dynamic IP Lockdown

•

Dynamic IP lockdown only filters packets in VLANs that are enabled
for DHCP snooping. In order for Dynamic IP lockdown to work on a
port, the port must be configured for at least one VLAN that is enabled
for DHCP snooping.

To enable DHCP snooping on a VLAN, enter the

dhcp-snooping vlan

[

vlan-id-range

]

command at the global configuration level or the

dhcp-snooping

command at the VLAN configuration level.

•

Dynamic IP lockdown is not supported on a trusted port. (However,
note that the DHCP server must be connected to a trusted port when
DHCP snooping is enabled.)

By default, all ports are untrusted. To remove the trusted configura-
tion from a port, enter the

no dhcp-snooping trust

<

port-list

>

command

at the global configuration level.

For more information on how to configure and use DHCP snooping, see
“DHCP Snooping” on page 11-3.

■

After you enter the

ip source-lockdown

command (enabled globally with

the desired ports entered in <

port-list

>), the dynamic IP lockdown feature

remains disabled on a port if any of the following conditions exist:

•

If DHCP snooping has not been globally enabled on the switch.

•

If the port is not a member of at least one VLAN that is enabled for
DHCP snooping.

•

If the port is configured as a trusted port for DHCP snooping.

Dynamic IP lockdown is activated on the port only after you make the
following configuration changes:

•

Enable DHCP snooping on the switch.

•

Configure the port as a member of a VLAN that has DHCP snooping
enabled.

•

Remove the trusted-port configuration.

■

You can configure dynamic IP lockdown only from the CLI; this feature
cannot be configured from the WebAgent or menu interface.

■

If you enable dynamic IP lockdown on a port, you cannot add the port to
a trunk.

■

Dynamic IP lockdown must be removed from a trunk before the trunk is
removed.

«
...
575
576
577
578
579
...
»

Summary of Contents for HP ProCurve Series 6600

Page 1: ...HP Switch Software 3500 switches 3500yl switches 5400zl switches 6200yl switches 6600 switches 8200zl switches Software version K 15 06 September 201 1 Access Security Guide ...

Page 2: ......

Page 3: ...HP Networking 3500 Switches 3500yl Switches 5400zl Switches 6200yl Switch 6600 Switches 8200zl Switches Access Security Guide September 2011 K 15 06 ...

Page 4: ...tion and usein source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentati...

Page 5: ...California 95747 5551 www hp com networking support Software End User License Agreement and Hardware Limited Warranty For the software end user license agreement and the hardware limited warranty information for HP Networking products visit www hp com networking support ...

Page 6: ...iv ...

Page 7: ...he Management Interface Wizard 1 10 CLI Management Interface Wizard 1 11 WebAgent Management Interface Wizard 1 12 SNMP Security Guidelines 1 13 Precedence of Security Options 1 15 Precedence of Port Based Security Options 1 15 Precedence of Client Based Authentication Dynamic Configuration Arbiter 1 15 HP E Network Immunity Manager 1 16 Arbitrating Client Specific Attributes 1 17 HP PMC Identity ...

Page 8: ...02 1X Port Access Credentials 2 18 TACACS Encryption Key Authentication 2 18 RADIUS Shared Secret Key Authentication 2 19 Include Credentials Radius Tacacs Only Option 2 20 SSH Client Public Key Authentication 2 21 Displaying the Status of Include Credentials on the Switch 2 24 Storage States When Using Include Credentials 2 25 Operating Notes 2 26 Restrictions 2 28 Encrypting Credentials in the C...

Page 9: ...ity to Connection Rate Detection 3 4 Application Options 3 4 Operating Rules 3 5 Unblocking a Currently Blocked Host 3 6 General Configuration Guidelines 3 7 For a network that is relatively attack free 3 7 For a network that appears to be under significant attack 3 8 Configuring Connection Rate Filtering 3 9 Global and Per Port Configuration 3 9 Enabling Connection Rate Filtering and Configuring ...

Page 10: ...LANs 4 3 RADIUS Based Authentication 4 4 Wireless Clients 4 4 How Web and MAC Authentication Operate 4 5 Web based Authentication 4 5 MAC based Authentication 4 7 Terminology 4 9 Operating Rules and Notes 4 10 Setup Procedure for Web MAC Authentication 4 12 Before You Configure Web MAC Authentication 4 12 Configuring the RADIUS Server To Support MAC Authentication 4 15 Configuring the Switch To Ac...

Page 11: ... Auth Client 4 63 Configuring the Registration Server URL 4 64 Unconfiguring a MAC Auth Registration Server 4 64 Operating Notes for HTTP Redirect 4 64 Show Commands for MAC Based Authentication 4 65 Client Status 4 71 5 TACACS Authentication Overview 5 1 Terminology Used in TACACS Applications 5 2 General System Requirements 5 4 General Authentication Setup Procedure 5 4 Configuring TACACS on the...

Page 12: ...ting Services 6 2 RADIUS Administered CoS and Rate Limiting 6 2 RADIUS Administered Commands Authorization 6 2 SNMP Access to the Switch s Authentication Configuration MIB 6 3 Terminology 6 4 Switch Operating Rules for RADIUS 6 5 General RADIUS Setup Procedure 6 6 Configuring the Switch for RADIUS Authentication 6 7 Outline of the Steps for Configuring RADIUS Authentication 6 8 1 Configure Authent...

Page 13: ...in an Authentication Session 6 47 Tagged and Untagged VLAN Attributes 6 47 Additional RADIUS Attributes 6 48 MAC Based VLANs 6 51 Accounting Services 6 52 Accounting Service Types 6 52 Operating Rules for RADIUS Accounting 6 53 Acct Session ID Options in a Management Session 6 54 Unique Acct Session ID Operation 6 54 Common Acct Session ID Operation 6 56 Configuring RADIUS Accounting 6 57 Steps fo...

Page 14: ... for Switch Services Overview 7 1 RADIUS Client and Server Requirements 7 1 Optional HP PCM and IDM Network Management Applications 7 2 RADIUS Server Configuration for CoS 802 1p Priority and Rate Limiting 7 3 Applied Rates for RADIUS Assigned Rate Limits 7 5 Viewing the Currently Active Per Port CoS and Rate Limiting Configuration Specified by a RADIUS Server 7 7 Configuring and Using Dynamic RAD...

Page 15: ...essages 7 43 Causes of Client Deauthentication Immediately After Authenticating 7 43 Monitoring Shared Resources 7 43 8 Configuring Secure Shell SSH Overview 8 1 Terminology 8 3 Prerequisite for Using SSH 8 4 Public Key Formats 8 4 Steps for Configuring and Using SSH for Switch and Client Authentication 8 5 General Operating Rules and Notes 8 7 Configuring the Switch for SSH Operation 8 8 1 Assign...

Page 16: ...g the SSH Client Known Hosts File 8 37 Displaying Open Sessions 8 37 Messages Related to SSH Operation 8 39 Logging Messages 8 40 Debug Logging 8 40 9 Configuring Secure Socket Layer SSL Overview 9 1 Terminology 9 3 Prerequisite for Using SSL 9 4 Steps for Configuring and Using SSL for Switch and Client Authentication 9 4 General Operating Rules and Notes 9 5 Configuring the Switch for SSL Operati...

Page 17: ... Summary for IPv4 Extended ACLs 10 6 Command Summary for Enabling Disabling and Displaying ACLs 10 7 Terminology 10 8 Overview 10 13 Types of IPv4 ACLs 10 13 ACL Applications 10 13 RACL Applications 10 14 VACL Applications 10 16 Static Port ACL and RADIUS Assigned ACL Applications 10 16 RADIUS Assigned Dynamic Port ACL Applications 10 17 Multiple ACLs on an Interface 10 19 Features Common to All A...

Page 18: ...e of Entries in an ACL Is Significant 10 45 Allowing for the Implied Deny Function 10 47 A Configured ACL Has No Effect Until You Apply It to an Interface 10 47 You Can Assign an ACL Name or Number to an Interface Even if the ACL Does Not Exist in the Switch s Configuration 10 47 Using the CLI To Create an ACL 10 48 General ACE Rules 10 48 Using CIDR Notation To Enter the IPv4 ACL Mask 10 49 Confi...

Page 19: ...ACL Assignments for a VLAN 10 100 Display Static Port and Trunk ACL Assignments 10 101 Displaying the Content of a Specific ACL 10 103 Display All ACLs and Their Assignments in the Routing Switch Startup Config File and Running Config File 10 106 Creating or Editing ACLs Offline 10 107 Creating or Editing an ACL Offline 10 107 The Offline Process 10 107 Example of Using the Offline Process 10 108 ...

Page 20: ...se 11 12 Operational Notes 11 13 Log Messages 11 14 Dynamic ARP Protection 11 16 Introduction 11 16 Enabling Dynamic ARP Protection 11 18 Configuring Trusted Ports 11 18 Adding an IP to MAC Binding to the DHCP Database 11 20 Configuring Additional Validation Checks on ARP Packets 11 21 Verifying the Configuration of Dynamic ARP Protection 11 21 Displaying ARP Packet Statistics 11 22 Monitoring Dyn...

Page 21: ...on 12 2 Filter Limits 12 2 Using Port Trunks with Filters 12 2 Filter Types and Operation 12 3 Source Port Filters 12 3 Operating Rules for Source Port Filters 12 3 Example 12 4 Named Source Port Filters 12 5 Operating Rules for Named Source Port Filters 12 6 Defining and Configuring Named Source Port Filters 12 6 Viewing a Named Source Port Filter 12 8 Using Named Source Port Filters 12 8 Static ...

Page 22: ...1X Access Control 13 13 Do These Steps Before You Configure 802 1X Operation 13 13 Overview Configuring 802 1X Authentication on the Switch 13 16 Configuring Switch Ports as 802 1X Authenticators 13 17 1 Enable 802 1X Authentication on Selected Ports 13 18 A Enable the Selected Ports as Authenticators and Enable the Default Port Based Authentication 13 18 B Specify User Based Authentication or Ret...

Page 23: ... Option For Authenticator Ports Configure Port Security To Allow Only 802 1X Authenticated Devices 13 48 Port Security 13 49 Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches 13 50 Example 13 50 Supplicant Port Configuration 13 52 Displaying 802 1X Configuration Statistics and Counters 13 55 Show Commands for Port Access Authenticator 13 55 Viewing 802 1X ...

Page 24: ...le 14 22 Configuring Clearing of Learned MAC Addresses 14 23 MAC Lockdown 14 24 Differences Between MAC Lockdown and Port Security 14 26 MAC Lockdown Operating Notes 14 27 Deploying MAC Lockdown 14 28 MAC Lockout 14 32 Port Security and MAC Lockout 14 34 Reading Intrusion Alerts and Resetting Alert Flags 14 35 Notice of Security Violations 14 35 How the Intrusion Log Operates 14 36 Keeping the Int...

Page 25: ...horized Managers 15 9 Web Proxy Servers 15 10 How to Eliminate the Web Proxy Server 15 10 Using a Web Proxy Server to Access the WebAgent 15 10 Building IP Masks 15 11 Configuring One Station Per Authorized Manager IP Entry 15 11 Configuring Multiple Stations Per Authorized Manager IP Entry 15 11 Additional Examples for Authorizing Multiple Stations 15 13 Operating Notes 15 14 16 Key Management Sy...

Page 26: ...xxiv ...

Page 27: ...rations Management and Configuration Guide Describes how to configure manage and monitor basic switch operation Advanced Traffic Management Guide Explainshowtoconfigure traffic management features such as VLANs MSTP QoS and Meshing Multicast and Routing Guide Explains how to configure IGMP PIM IP routing and VRRP features Access Security Guide Explains how to configure access security fea tures an...

Page 28: ...installing it on the Intelligent Edge version of these switches These features are automatically included on the HP 6200yl switches Premium License Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 Configura tion Guide OSPFv2 IPv4 X OSPFv3 IPv6 X PIM DM Dense Mode X PIM SM Sparse Mode X QinQ Provider Bridging X VRRP X...

Page 29: ... X Copy Command X Core Dump X CoS Class of Service X Debug X DHCP Configuration X DHCPv6 Relay X DHCP Option 82 X DHCP Snooping X DHCP Bootp Operation X Diagnostic Tools X Diagnostics and Troubleshooting IPv6 X Distributed Trunking X Downloading Software X Intelligent Edge Software Features Manual Management and Configura tion Advanced Traffic Management Multicast and Routing Access Security Guide...

Page 30: ... Friendly Port Names X Guaranteed Minimum Bandwidth GMB X GVRP X Identity Driven Management IDM X IGMP X Interface Access Telnet Console Serial Web X IP Addressing X IPv6 Addressing X IP Preserve IPv6 X IP Routing X IPv6 Static Routing X Jumbo Packets X Intelligent Edge Software Features Manual Management and Configura tion Advanced Traffic Management Multicast and Routing Access Security Guide IP...

Page 31: ... Analysis X Multicast Filtering X Multiple Configuration Files X Network Management Applications SNMP X Nonstop Switching 8200zl switches X Out of Band Management OOBM X OpenView Device Management X OSPFv3 X Passwords and Password Clear Protection X Intelligent Edge Software Features Manual Management and Configura tion Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 C...

Page 32: ... X Quality of Service QoS X RADIUS Authentication and Accounting X RADIUS Based Configuration X Rate Limiting X RIP X RMON 1 2 3 9 X Routing X Routing IP Static X Route Redistribution X SavePower Features X Secure Copy X Secure Copy IPv6 X Intelligent Edge Software Features Manual Management and Configura tion Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 Configura t...

Page 33: ...00 3500yl 6200yl 6600 switches only X Syslog X System Information X TACACS Authentication X Telnet Access X Telnet IPv6 X TFTP X Time Protocols TimeP SNTP X Time Protocols IPv6 X Traffic Mirroring X Traffic Security Filters X Troubleshooting X Intelligent Edge Software Features Manual Management and Configura tion Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 Configu...

Page 34: ...ate Filtering X VLANs X VLAN Mirroring 1 static VLAN X Voice VLAN X WebAuthenticationRADIUS Support X Web based Authentication X Web UI X Intelligent Edge Software Features Manual Management and Configura tion Advanced Traffic Management Multicast and Routing Access Security Guide IPv6 Configura tion Guide Basic Operation Guide ...

Page 35: ...Security on page 1 9 It outlines potential threats for unauthorized switch and network access and provides guidelines on how to prepare the switch for secure network operation About This Guide This Access Security Guide describes how to configure security features on your switch For More Information For IPv6 specific security settings and features refer to the IPV6 Configuration Guide for your swi...

Page 36: ...tInterfaceWizard on page 1 10 for details Table 1 1 Access Security and Switch Authentication Features Feature Default Setting Security Guidelines More Information and Configuration Details Manager password no password ConfiguringalocalManagerpasswordisafundamental step in reducing the possibility of unauthorized access through the switch s WebAgent and console CLI and Menu interfaces TheManagerpa...

Page 37: ...d System Information in the Basic Operation Guide For RADIUS accounting refer to Chapter 6 RADIUS Authentication and Accounting SSH disabled SSH provides Telnet like functions through encrypted authenticated transactions of the following types client public key authentication uses one or more public keys from clients that must be stored on the switch Only a client with a private key that matches a...

Page 38: ... Management VLAN disabled This feature creates an isolated network for managing the HP switches that offer this feature When a secure managementVLANisenabled CLI Menuinterface and WebAgent access is restricted to ports configured as members of the VLAN Advanced Traffic Management Guide refer to the chapter Static Virtual LANs VLANs ACLs for Management Access Protection none ACLs can also be config...

Page 39: ...o provide port based security measures for protecting private networks and the switch itself from unauthorized access Because neither method requires clients to run any special supplicant software both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option Both methods rely on using a RADIUS server for authentication This s...

Page 40: ... and automated updates to the switch via the USB flash drive When enabled in secure mode this is done with secure credentials to prevent tampering Note that the USB Autorun feature is disabled automatically once a password has been set on the switch Management and Configuration Guide Appendix A File Transfers refer to the section USB Autorun Traffic Security Filters none These statically configure...

Page 41: ...relied upon for a complete security solution Chapter 10 IPv4 Access Control Lists ACLs Port Security MACLockdown and MAC Lockout none The features listed below provide device based access security in the following ways Port security Enables configuration of each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port This enables i...

Page 42: ...ps defeat ICMP denial of service attacks by restricting ICMP traffic to percentage levels that permit necessary ICMP functions but throttle additional traffic that may be due to worms or viruses reducing their spread and effect Management and Configuration Guide in the chapter on Port Traffic Controls refertothesection ICMP Rate Limiting Spanning Tree Protection none These features prevent your sw...

Page 43: ...lnerability existing in your network and take steps to ensure that all reasonable security precautions are in place This includes both configurable security options and physical access to the switch Switch management access is available through the following methods Front panel access to the console serial port see Physical Security Inbound Telnet access Web browser access WebAgent SNMP access For...

Page 44: ...SB to Transfer Files to and from the Switch and Using USB Autorun in the Management and Configuration Guide Appendix A File Transfers Quick Start Using the Management Interface Wizard The Management Interface wizard provides a convenient step by step method to prepare the switch for secure network operation It guides you through the process of locking down the following switch operations or protoc...

Page 45: ...ss for help Operator password not configured Confirm password Manager password Confirm password Restrict SNMP access to SNMPv3 only no SNMPv2 community name notpublic SNMPv2 Community access level unrestricted Telnet enabled yes SSH enabled no Web management enabled yes Restrict Web access to SSL no Timeout for ssh telnet sessions 0 Operator password Manager password Restrict SNMP access to SNMPv3...

Page 46: ...zard Operating Notes and Restrictions Once a password has been configured on the switch you cannot remove it using the CLI wizard Passwords can be removed by executing the no password command directly from the CLI When you restrict SNMP access to SNMPv3 only the options SNMPv2 community name and access level will not appear The wizard displays the first available SNMPv2 community and allows the us...

Page 47: ...ports SNMP versions 1 2c and 3 including SNMP community and trap configuration The default configuration supports versions 1 and 2c compatibility which uses plain text and does not provide security options HP recommends that you enable SNMP version 3 for improved security SNMPv3 includes the ability to configure restricted access and to block all non version 3 messages which blocks version 1 and 2...

Page 48: ...nd booting from software release K 12 xx or greater If SNMP access to the authentication configuration hpSwitchAuth MIB described above is not desirable for your network then immediately after downloading and booting from the K 12 xx or greater software for the first time use the following command to disable this feature snmp server mib hpswitchauthmib excluded If you choose to leave the authentic...

Page 49: ... Enabled physical port 2 MAC lockout Applies to all ports on the switch 3 MAC lockdown 4 Port security 5 Authorized IP Managers 6 Application features at higher levels in the OSI model such as SSH The above list does not address the mutually exclusive relationship that exists among some security features Precedence of Client Based Authentication Dynamic Configuration Arbiter Starting in software r...

Page 50: ...d clients provided that a client s MAC address is known in the switch in the forwarding database DCA arbitrates the assignment of attributes on both authenticated and non authenticated ports DCA does not support the arbitration and assignment of client specific attributes on trunk ports HP E Network Immunity Manager HP E Network Immunity Manager NIM is a plug in to HP PCM and a key component of th...

Page 51: ...a profile of configured attributes to the MAC address of a client device on an authenticated or unauthenticated port Configure or unconfigure an untagged VLAN for use in an authenticated or unauthenticated client session Note that the attribute profile assigned to a client is often a combination of NIM configured RADIUS assigned and statically configured settings Precedence is always given to the ...

Page 52: ... parameters are later removed the parameter values in the client session return to the RADIUS configured or locally configured settings depending on which are next in the hierarchy of precedence In addition DCA supports conflict resolution for QoS port based CoS priority and rate limiting ingress by determining whether to configure either strict or non strict resolution on a switch wide basis For ...

Page 53: ... Precedence of Security Options RADIUS assigned CoS rate limiting and ACLS Configuring RADIUS Server Support for Switch Services on page 7 1 Statically local configured Configuring Username and Password Security on page 2 1 ...

Page 54: ...he network This operation enables the network to approve or deny access at the edge of the network instead of in the core distinguish among different users and what each is authorized to do configure guest access without compromising internal security Criteria for enforcing RADIUS based security for IDM applications includes classifiers such as authorized user identity authorized device identity M...

Page 55: ...ent Beginning with software release K 12 xx usernames and passwords for Man ager and Operator access can also be configured using SNMP For more information refer to Using SNMP To View and Configure Switch Authentica tion Features on page 6 32 Feature Default Menu CLI WebAgent Set Usernames none page 2 10 Set a Password none page 2 4 page 2 6 page 2 10 Delete Password Protection n a page 2 5 page 2...

Page 56: ...onse to the prompt If you set a Manager password you may also want to configure an inactivity timer This causes the console session to end after the specified period of inactivity thusgivingyouaddedsecurityagainstunauthorizedconsoleaccess Not e If theconsole inactivity timer expires any outbound Telnet or SSH sessions open on the switch are terminated You can use either of the following to set the...

Page 57: ... in response to the switch s password prompt then the switch does not allow management access for that session Passwords are case sensitive When configuring an operator or manager password a message will appear indicating that USB autorun has been disabled For more information on the autorun feature refer to the Appendix A on File Transfers in the Manage ment and Configuration Guide for your switc...

Page 58: ...rd a Select Set Manager Password or Set Operator Password You will then be prompted with Enter new password b Type a password of up to 64 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you w...

Page 59: ...d Manager Level access 1 Enter the console at the Manager level 2 Go to the Set Passwords screen as described above 3 Select Delete Password Protection You will then see the following prompt Continue Deletion of password protection No 4 Press the Space bar to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot sta...

Page 60: ...a given access level The commands sets or changes existing password s If no password is provided in the command you are prompted to enter the new password twice The no form of the command removes specific local password protection Note port access is available only if include credentials is enabled manager operator port access all Level of access username Username up to 64 characters plaintext sha...

Page 61: ...el This means that anyone who can access the switch console can gain Operator access without having to enter a user name or password If you want to remove both operator and manager password protection use the no password all command Username and Password Length The limit on username and password length is 64 characters for the following authentication methods Front end WEB User Interface SSH and T...

Page 62: ...st be enclosed in quotes for example one two three A blank space or spaces between quotes is allowed for example Additional Restrictions Some authentication servers prevent the usage of special symbols such as the backslash and quotes The switch allows the use of these symbols in configurable credentials but using them may limit access for some users who may use different client software Please re...

Page 63: ...edentials feature has ever been enabled If You Cannot Access the Switch Using the Previous Password If you cannot access the switch after a software version downgrade clear the password by using the Clear button on the switch to regain access Then boot into a software version that supports long passwords and perform steps 1 2 or 3 in the preceding section Setting an Encrypted Password Use this com...

Page 64: ...rname and Password Security Configuring Local Password Security WebAgent Setting Passwords and Usernames In the WebAgent you can enter passwords and optional usernames See the WebAgent Online Help for detailed information ...

Page 65: ...re authentication sessions with TACACS servers RADIUS shared secret encryption keys used to encrypt packets and secure authentication sessions with RADIUS servers Secure Shell SSH public keys used to authenticate SSH clients that try to connect to the switch Benefits of Saving Security Credentials The benefits of including and saving security credentials in a configuration file are as follows Afte...

Page 66: ... and 802 1X authenticator port access security credentials and SSH client public keys in the running configuration Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running config file To view the currently configured security settings in the running configuration enter one of the following comma...

Page 67: ... time for example on a new switch or when you previously have successfully executed the no include credentials store in config command the passwords and SSH keys are not currently stored in the configuration file not activated This warning message displays radius tacacs only When executed with the radius tacacs only option only the RADIUS and TACACS security keys are included in the configuration ...

Page 68: ...the option of setting new switch passwords as shown in Figure 2 6 You are also queried about retaining the current SSH authorized keys on the switch If you enter y the currently active authorized key files are renamed to the pre include credentials names for example file mgr_auth_keys 2 file mgr_auth_keys file authorized_keys 2 file authorized_keys All remaining authorized keys files with an exten...

Page 69: ...SCII text For example a manager username and password may be stored in a running config file as follows HP Switch config no include credentials store in config This will remove any switch passwords and inactive SSH authorized keys from all configuration files This will also restore the functionality to store only a single set of passwords and authorized keys on the switch Do you want to continue y...

Page 70: ... format port access passwords are displayed and saved only as plain ASCII text For more information about configuring local manager and operator passwords refer to Configuring Username and Password Security on page 2 1 in this guide For more information about configuring a port access password for 802 1X client authentication see 802 1X Port Access Credentials on page 2 18 in this guide Syntax no ...

Page 71: ...h and the station The following example shows the additional security credentials for SNMPv3 users that can be saved in a running config file Figure 2 7 Example of Security Credentials Saved in the Running Config Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or the SHA 1 hash of the password the password is displayed and saved in a configuration fil...

Page 72: ...rately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch For information on the new password command syntax see Password Command Options on page 2 16 After you enter the complete password port access command syntax the password is set You are not prompted to enter the password a second time TACAC...

Page 73: ...e RADIUS servers as the primary authentication method for users who request access to a switch through Telnet SSH WebAgent console or port access 802 1X The shared secret key is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS server during authentication sessions Both the switch and the server have a copy of the key the key is never transmitted across...

Page 74: ...edentials is executed include credentials is disabled Credentials continue to be stored in the active and inactive configuration files but are not displayed radius tacacs only When executed with the radius tacacs only option only the RADIUS and TACACS security keys are included in the configuration when saving files remotely The radius tacacs only option can be disabled with either command no incl...

Page 75: ...fer to Configuring Secure Shell SSH on page 8 1 in this guide The SSH security credential that is stored in the running configuration file is configured with the ip ssh public key command used to authenticate SSH clients for manager or operator access along with the hashed content of each SSH client public key HP Switch config include credentials radius tacacs only CAUTION This will insert possibl...

Page 76: ...ns SSH client public key configurations the downloaded public keys overwrite any existing keys as happens with any other configured values keystring a legal SSHv2 RSA or DSA public key The text string for the public key must be a single quoted token If the keystring contains double quotes it can be quoted with single quotes keystring The following restrictions for a keystring apply A keystring can...

Page 77: ... BhkXjtHhz6gD701otgizUOO6 Xzf4 J9XkJHkOCnbHIqtB1sbRYBTxj3NzA K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP pv2scqPPXQghgaTkdPwGGtdFW K4xRskAnIaxuG0qLbnekohi ND4TkKZd EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf QV95kdNwWIbxuusBAzvfaJptd gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7 1kVOdS G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK piG Q1el1w9zsMaxPA1XJzSY imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6...

Page 78: ...ion about the passwords and SSH keys stored in the configuration Stored in Configuration Yes The passwords and SSH keys are stored in the configuration Include credentials was exe cuted Stored in Configuration No There is only one set of operator manager passwords and one set of SSH keys for the switch Enabled in Active Configuration Include credentials is either enabled or disabled RADIUS TACACSo...

Page 79: ...onfig One set for switch No credentials displayed in config SSH Public Key One set for switch Stored in flash Not displayed in config One set per stored config Stored in flash Displayed in config Same as include credentials enabled Not displayed in config One set for switch No credentials displayed in config SNMPv3 auth and priv Stored in flash Not displayed in config Stored in flash Displayed in ...

Page 80: ...a switch boots up The configuration of all security credentials requires that you use the write memory command to save them in the startup configuration in order for them to not be lost when you log off A warning message reminds you to permanently save a security setting After you enter theinclude credentials command the currently configured manager and operator usernames and passwords RADIUS shar...

Page 81: ...configuration files Each configuration filecontainsitsownsecuritycredentialsandthesesecurityconfigurations may differ It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image and that all security credentials in the file are supported If you have already enabled the stora...

Page 82: ...MPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file To display the engine ID of a switch enter the show snmpv3 engine id command To configure authentication and privacy passwords for SNMPv3 users enter the snmpv3 user command If the engine ID in the saved SNMPv3 s...

Page 83: ...d in the configura tion file in plain text The encrypt credentials command allows the storing displaying and transferring of credentials in encrypted form When the encrypt credentials feature is enabled the affected credentials will be encrypted using aes 256 cbc encryption By default a fixed hard coded 256 bit key that is common to all HP networking devices is used This allows transfer of configu...

Page 84: ...e data in the configuration Syntax no encrypt credentials pre shared key plaintext hex When encrypt credentials is enabled without any parameters it enables the encryption of relevant security parameters in the configuration The no form of the command disables the encrypt credentials feature If specified with pre shared key option clears the pre shared key used to encrypt credentials pre shared ke...

Page 85: ...rsions The resulting config file cannot be used by older software versions It may also break some of your existing user scripts Before proceeding please save a copy of your current config file and associate the current config file with the older software version saved in flash memory See Best Practices for Software Updates in the Release Notes A config file with encrypt credentials may prevent pre...

Page 86: ... 1 encrypted key U2FsdGVkX18XWadTeFN bxHxKA q s5cV1NiYvx TuA HP Switch config tacacs server key secret1 HP Switch config tacacs server encrypted key U2FsdGVkX18XWadTeFN bxHxKA q s5cV1NiYvx TuA HP Switch config tacacs server host 10 0 0 1 key secret1 HP Switch config tacacs server host 10 0 0 1 encrypted key U2FsdGVkX18XWadTeFN bxHxKA q s5cV1NiYvx TuA HP Switch config key chain example key 1 key st...

Page 87: ...ted on the same switch or another switch with the same pre shared key whether user specified or a default key If an incorrectly encrypted parameter is used it is highly likely that the decrypted version will contain incorrect characters and neither key will function correctly or be displayed in any show command Interaction with Include Credentials Settings The following table shows the interaction...

Page 88: ...h Insurance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records must be secure It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key For some customers this is no longer true Others simply...

Page 89: ...on and the Clear button When using redundant management the System Reset button reboots the entire chassis See Resetting the Management Module in the Management and Configuration Guide for more information on resetting the management modules in a redundant management switch Figure 2 16 Front Panel Button Locations on an HP Switch E8212zl Clear Button Pressing the Clear button alone for one second ...

Page 90: ...set Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button 2 While holding the Reset button press and hold the Clear button 3 Release the Reset button Reset Clear Reset Clear Reset Clear ...

Page 91: ...le or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does not affect the operation of the Reset Clear combination described under Restor ing the Factory Default Configuration on page 2 36 Configure the Clear button to reb...

Page 92: ...is enabled then pressing the Clear button erases the local usernames and passwords from the switch When reset on clear is enabled pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch Enabling reset on clear automatically enables clear password Default Disabled Note If you have stored security credentials including the local manager and operator ...

Page 93: ...covery Process on page 2 46 Default Enabled CAUTION Disabling this option removes the ability to recover a password on the switch Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security If you disable password recovery and then lose the password you will have to use the Reset and Clear buttons page 2 36 to reset the switch to its fa...

Page 94: ...ent module Default Enabled Note Although the Clear button does not erase passwords when disabled you can still use it with the Reset button Reset Clear to restore the switch to its factory default configuration as described under Restoring the Factory Default Configuration on page 2 36 HP Switch config no front panel security password clear CAUTION Disabling the clear button prevents switch passwo...

Page 95: ...ord clear Enabled reset on clear Disabled Thus To enable password clear with reset on clear disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password clear For redundant management systems this command only aff...

Page 96: ... switch s current configu ration with the factory default configuration and render the switch acces sible without the need to input a username or password You can use the factory reset command to prevent the Reset Clear combination from being used for this purpose Switch config show front panel security Clear Password Disabled Factory Reset Enabled Password Recovery Enabled Switch config no front ...

Page 97: ...the command has been used to disable the above two functions Also if you disable factory reset you cannot disable the password recovery option and the reverse HP Switch config no front panel security factory reset CAUTION Disabling the factory reset option prevents switch configuation and passwords from being easily reset or recovered Ensure that you are familiar with the front panel security opti...

Page 98: ...gured or password Using Pass word Recovery requires password recovery enabled the default on the switch prior to an attempt to recover from a lost username password situation Contacting your HP Customer Care Center to acquire a one time use password Disabling or Re Enabling the Password Recovery Process Disabling the password recovery process means that the only method for recovering from a lost m...

Page 99: ...t parameter is enabled If it is disabled use the front panel security factory reset command to enable it 3 Press and release the Clear button on the front panel of the switch 4 Within 60 seconds of pressing the Clear button enter the following com mand no front panel security password recovery Syntax no front panel security password recovery Enables or using the no form of the command disables the...

Page 100: ...er Restoring the Factory Default Configuration on page 2 36 This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured To use the password recovery option to recover a lost password 1 Note the switch s base MAC address It is shown on the label located on the upper ri...

Page 101: ...enter is valid only for a single login attempt You cannot use the same one time use password if you lose the password a second time Because the password algorithm is randomized based upon your switch s MAC address the pass word will change as soon as you use the one time use password provided to you by the HP Customer Care Center ...

Page 102: ...2 48 Configuring Username and Password Security Password Recovery ...

Page 103: ...It is primarily concerned with the class of worm like malicious code that tries to replicate itself by using vulnerabilities on other hosts that is weaknesses in network applications behind unsecured ports Agents of this variety operate by choosing a set of hosts to attack based on an address range sequential or random that is exhaustively searched either by blindly attempting to make connections ...

Page 104: ...re tool you can use in your inci dent management program to help detect an manage worm type IT security threats received in inbound IP traffic Major benefits of this tool include Behavior based operation that does not require identifying details unique to the code exhibiting the worm like operation Handles unknown worms Needs no signature updates Protectsnetwork infrastructure byslowing orstopping...

Page 105: ... other hosts Filtering Options In the default configuration connection rate filtering is disabled When enabled on a port connection rate filtering monitors inbound IP traffic for a high rate of connection requests from any given host on the port If a host appears to exhibit the worm like behavior of attempting to establish a large number of outbound IP connections in a short period of time the swi...

Page 106: ...ly blocked Sensitivity to Connection Rate Detection The switch includes a global sensitivity setting that enables adjusting the ability of connection rate filtering to detect relatively high instances of con nection rate attempts from a given source Application Options For the most part normal network traffic is distinct from the traffic exhibited by malicious agents However when a legitimate netw...

Page 107: ... rate filtering and thereby keep the server running without interruption Note Use connection rate ACLs only when you need to exclude an IP traffic source including traffic with specific UDP or TCP criteria from a connection rate filtering policy Otherwise the ACL is not necessary Operating Rules Connection rate filtering does not operate on IPv6 traffic Connection rate filtering is triggered by in...

Page 108: ...block command page 3 16 Rebooting the switch Disabling connection rate filtering using the no connection rate filter command Deleting a VLAN removes blocks on any hosts on that VLAN Note Changing a port setting from block to throttle notify only or to no filter connec tion rate does not unblock a currently blocked host Similarly applying a connection rate ACL will not unblock a currently blocked h...

Page 109: ...ting high connection rates 5 Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior 6 Hostsdemonstratinghigh butlegitimateconnectionrates suchasheavily used servers may trigger a connection rate filter Configure connection rate ACLs to create policy exceptions for trusted hosts Exceptions can be confi...

Page 110: ...ts and helps to identify hosts that may require updates or patches to eliminate malicious code 1 Configure connection rate filtering to throttle on all ports 2 Set global sensitivity to medium 3 If SNMP trap receivers are available in your network use the snmp server command to configure the switch to send SNMP traps 4 Monitor the Event Log or the available SNMP trap receivers if configured on the...

Page 111: ... in this section to enable connection rate filtering on the switch and to apply the filtering on a per port basis You can use the ACL commands in the next section to adjust a filter policy on a per vlan basis to avoid filtering traffic from specific trusted source addresses Command Page Global and Per Port Configuration connection rate filter sensitivity low medium high aggressive 3 10 filter conn...

Page 112: ...ensitivity to the lowest possible sensitivity which allows a mean of 54 destinations in less than 0 1 seconds and a corresponding penalty time for Throttle mode if configured of less than 30 seconds medium Sets the connection rate sensitivity to allow a mean of 37 destinations in less than 1 second and a corresponding penalty time for Throttle mode if configured between 30 and 60 seconds high Sets...

Page 113: ...fy only generates an Event Log message Sends a similar message to any SNMP trap receivers configured on the switch throttle If the switch detects a relatively high number of IP connection attempts from a specific host this option generates the notify only messaging and also blocks all inbound traffic from the offending host for a penalty period After the penalty period the switch allows traffic fr...

Page 114: ... following response to high connection rate traffic on the switch Ports B1 B3 Throttle traffic from the transmitting host s Port B4 Respond with Notify Only to identify the transmitting host s Ports B9 D1 and D2 Block traffic from the transmitting host s Figure 3 3 illustrates the configuration steps and resulting startup config file HP Switch Server Company Intranet VLAN 1 15 45 100 1 VLAN 10 15 ...

Page 115: ...eated on release K 15 XX hostname HP Switch connection rate filter sensitivity low module 2 type 8702A module 4 type 8702A ip routing snmp server communitye public Unrestricted snmp server host 12 45 200 75 public vlan 1 name DEFAULT_VLAN untagged B5 B24 ip address dhcp bootp no untagged B1 B4 D1 D24 ip proxy arp exit filter connection rate B4 notify only filter connection rate B1 B3 throttle filt...

Page 116: ...configura tion details use show config or show running page 3 15 Figure 3 4 Example of Displaying the Connection Rate Status Sensitivity and Per Port Configuration Syntax show connection rate filter Displays the current global connection rate status enabled disabled and sensitivity setting and the cur rent per port configuration This command does not display the current optional connection rate AC...

Page 117: ...255 255 exit module 2 type J8161A module 4 type J8161A ip routing logging 13 28 234 180 snmp server community public Unrestricted vlan 1 name DEFAULT_VLAN untagged B1 B12 B19 B24 D1 D24 no ip address no untagged B13 B18 ip proxy arp exit vlan 15 name VLAN_15 untagged B13 B18 ip address 13 28 234 181 255 255 240 0 ip proxy arp ip connection rate filter access group Sample exit filter connection rat...

Page 118: ...tering does not age out This is to help prevent a malicious host from automatically regaining access to the network Syntax show connection rate filter all hosts blocked hosts throttled hosts all hosts Lists by VLAN membership all hosts currently detected in a throttling or blocking state along with a state indicator throttled hosts Lists by VLAN membership the hosts cur rently in a throttling stat...

Page 119: ...g the sensitivity level on the associated port or configuring a connection rate ACL to create a filtering exception for the host Note For a complete list of options for unblocking hosts see page 3 6 Syntax connection rate filter unblock all host ip addr all Unblocks all hosts currently blocked due to action by connection rate filtering on ports where block mode has been configured host ip addr Unb...

Page 120: ...mate traffic from a trusted source and apply connection rate filtering only to inboundtraffic from untrustedsources Forexample wherea connection rate policy has been configured you can apply a connection rate ACL that causes the switch bypass connection rate policy filtering on traffic from A trusted server exhibiting a relatively high IP connection rate due to heavy demand A trusted traffic sourc...

Page 121: ...d VLAN and creates an exception to the connection rate filter policy configured on each port A connection rate ACL has no effect on ports in the VLAN that are not configured for connection rate filtering A connection rate ACL accepts inbound legitimate traffic from trusted sources without filtering the traffic for the configured connection rate policy You can configure anACL to assign policy filte...

Page 122: ...ext HP Switch config crf nacl If the ACL already exists this command simply puts the CLI into the ACE context Syntax filter ignore ip any host ip addr ip addr mask length Used in the ACE context above to specify the action of the connection rate ACE and the source IP address of the traffic that the ACE affects Inbound IP traffic from Host A with relatively high number of IP connection rate attempt...

Page 123: ... for traffic addressed by the ACE any Applies the ACEs action filter or ignore to traffic having any SA host ip addr Applies the ACEs action filter or ignore to traffic having the specified host SA ip addr mask length Applies the ACEs action filter or ignore to traffic having an SA within the range defined by either src ip addr cidr mask bits or src ip addr mask Use this criterion for traffic rece...

Page 124: ...udp tcp ip addr mask length udp tcp options Used in the ACE context above to specify the action of the connection rate ACE filter or ignore and the UDP TCP criteria and SA of the IP traffic that the ACE affects filter ignore filter This option assigns a policy of filtering drop ping IP traffic having an SA that matches the source address criteria in the ACE ignore This option specifies a policy of...

Page 125: ...port udp data tcp data operator tcp port udp data operator udp port operator eq gt lt neq range eq port nbr or name Equal To to have a match with the ACE entry the TCP or UDP source port number in a packet must be equal to the specified port number gt port nbr or name Greater Than to have a match with the ACE entry the TCP or UDP source port number in a packet must be greater than the specified po...

Page 126: ...e 53 ntp Network Time Protocol 123 radius Remote Authentication Dial In User Service 1812 radius old Remote Authentication Dial In User Service 1645 rip Routing Information Protocol 520 snmp Simple Network Management Protocol 161 snmp trap Simple Network Management Pro tocol 162 tftp Trivial File Transfer Protocol 69 HP Switch config ignore tcp host 15 75 10 11 destination port eq 1812 source port...

Page 127: ...are configured for connection rate filtering A connection rate ACL does not apply to ports in the VLAN that are not configured for connection rate filtering The no form of the command removes the connection rate ACL assignment from the VLAN Note The switch allows only one connection rate ACL assign ment per VLAN If a connection rate ACL is already assigned to a VLAN and you assign another connecti...

Page 128: ...high The server at IP address 15 45 50 17 frequently transmits a relatively high rate of legitimate connection requests which now triggers connection rate blocking of the server s IP address on port D2 This causes periodic unnecessary blocking of access to the server The administrator needs to maintain blocking protection from the Company Intranet while allowing access to the server at 15 45 50 17...

Page 129: ...that any traffic that is not from the desired server will be subject to filtering by the connection rate policy configured on port D2 2 Assigning the ACL to the VLAN through which traffic from the server enters the switch Figure 3 11 Creating and Assigning a Connection Rate ACL HP Switch config ip access list connection rate filter 17 server HP Switch config crf nacl ignore ip host 15 45 50 17 HP ...

Page 130: ...P Switch connection rate filter sensitivity high ip access list connection rate filter 17 server ignore ip 15 45 50 17 0 0 0 0 exit module 2 type J8702A module 4 type J8702A ip routing logging 13 28 234 180 snmp server community public Unrestricted snmp server host 15 45 200 75 public vlan 1 name DEFAULT_VLAN untagged B5 B24 no ip address no untagged B1 B4 D1 D24 ip proxy arp exit vlan 10 name VLA...

Page 131: ...creening Implicit ACE A connection rate ACL includes a third implicit filter ip any ACE which is automatically the last ACE in the ACL This implicit ACE does not appear in displays of the ACL configuration but is always present in any connection rate ACL you configure For example assume that a port is configured with a connection rate policy and is in a VLAN configured with a connection rate ACL I...

Page 132: ...determining current resource availability and usage refer to the appendix titled Monitoring Resources in the Management and Configuration Guide for your switch Connection Rate Log and Trap Messages Please see the Event Log Message Reference Guide for information about Event Log messages ...

Page 133: ...ent by allowing you to control access from a master database in a single server You can use up to three RADIUS servers to provide backups in case access to the primary server fails It also means the same credentials can be used for authentication regardless of which switch or switch port is the current access point into the LAN On a port configured for Web or MAC Authentication the switch operates...

Page 134: ...e switch forwards the device s MAC address to the RADIUS server for authentication The RADIUS server uses the device MAC address as the username and password and grants or denies network access in the same way that it does for clients capable of interactive logons The process does not use either a client device configuration or a logon session MAC authentication is well suited for clients that are...

Page 135: ...enabled for MAC authentication if Web and MAC authentication are both enabled on the port Hitless reauthentication must be of the same type MAC that was used for the initial authentication Non hitless reauthentication can be of any type The remaining Web MAC functionality including interactions with 802 1X remains the same Web and MAC authentication can be used for different clients on the same po...

Page 136: ...entication on a port RADIUS Based Authentication In Web and MAC authentication you use a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the ...

Page 137: ...i rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password The default User Login screen is shown in Figure 4 1 Figure 4 1 Example of Default User Login Screen When a client connects to the switch it sends a DHCP request to receive an IP address to connect to the network To avoid address conflicts in a...

Page 138: ...sful login a client may be redirected to a URL if you specify a URL value redirect url when you configure web authentication Figure 4 3 Authentication Completed The assigned VLAN is determined in order of priority as follows 1 If there is a RADIUS assigned VLAN then for the duration of the client session the port belongs to this VLAN and temporarily drops all other VLAN memberships 2 If there is n...

Page 139: ... before timing out The max requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails The switch waits a specified amount of time quiet period before processing any new authentication requests from the client Network administrators may assign unauthenticated clients to a specific static untagged VLAN unauth vid to provide access ...

Page 140: ... port to another and client moves have not been enabled addr moves on the ports the session ends and the client must reauthenticate for network access At the end of the session the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid crede...

Page 141: ...ss or username and password before being allowed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified web page presented to an authorized client following ...

Page 142: ...her precedent port access management feature is not enabled on the port For example be sure that Port Security is disabled on a port before configuring the port for Web or MAC Authentication If Port Security is enabled on the port this misconfiguration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments ...

Page 143: ... or MAC based authentication must be statically configured VLANs on the switch Also if you configure one or both of these options any services you want clients in either category to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an a...

Page 144: ...ure that client authenticated edge ports get blocked when loops occur you should enable loop protection on those ports For more information refer to Loop Protection in the chapter titled Multiple Instance Spanning Tree Operation in the Advanced Traffic Manage ment Guide for your switch Setup Procedure for Web MAC Authentication Before You Configure Web MAC Authentication 1 Configure a local userna...

Page 145: ...tcanjoinan Authorized VLAN forthedurationoftheclientsession ifyouchoosetoconfigure one This must be a port based statically configured VLAN on the switch c If there is neither a RADIUS assigned VLAN or an Authorized VLAN for an authenticated client session on a port then the port s VLAN membership remains unchanged during authenticated client ses sions In this case configure the port for the VLAN ...

Page 146: ... server and configure the server Refer to the documentation provided with your RADIUS application and include the following in the policy for each client or client device The CHAP RADIUS authentication method An encryption key One of the following If you are configuring Web based authentication include the user name and password for each authorized client If you are configuring MAC based authentic...

Page 147: ...vice use the base MAC address assigned to the device and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch Note that the switch applies a single MAC address to all VLANs configured in the switch Thus for a given switch the MAC address is the same for all VLANs configured on the switch Refer to the chapter titled Static Virtual LANs VLANs i...

Page 148: ...IUS server addresses configured in the switch include a server specific encryption key The tilde character is allowed in the string for example radius server key hp switch It is not backward compatible the character is lost if you use a software version that does not support the character Default Null Syntax radius server host ip address key server specific key string no radius server host ip addr...

Page 149: ...A7rd Figure 4 5 Example of Configuring a Switch To Access a RADIUS Server HP Switch config radius server host 192 158 32 11 HP Switch config radius server host 192 158 32 11 key 1A7rd HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Attemtps 3 Global Encryption Key Auth Acct Server IP Addr Port Port Encryption Key 192 168 32 11 18...

Page 150: ...US server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Optional To use SSL encryption for web authentication login configure and enable SSL on the switch 7 Enable web authentication on the switch ports you want to use 8 Configure the optional settings that you want to use for web authentica...

Page 151: ...Authentication works properly on the ports you have configured for port access using Web Authentication Note Client web browsers may not use a proxy server to access the network Configuration Commands for Web Authentication Command Page Configuration Level aaa port access port list controlled directions both in 4 20 no aaa port access web based port list 4 22 auth vid 4 22 clear statistics 4 22 cl...

Page 152: ...gured for web authentication before authentication occurs Out going traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication Prerequisites As implemented in 802 1X authentica tion the disabling of incoming traffic and transmis sion of outgoing traffic on a web authenticated egress port in an unauthenticated state using the aaa port access con...

Page 153: ...e Wake on LAN feature is used by network administrators to remotely power on a sleeping workstation for example during early morning hours to perform routine maintenance operations such as patch management and software updates Using the aaa port access controlled directions in command you can enable the transmission of Wake on LAN traffic on unauthenticated egress ports that are configured for any...

Page 154: ...Default 0 Syntax aaa port access web based clear statistics Clears resets to 0 all counters used to monitor the CEI HTTP Web Auth control traffic generated in web authentication session To display Web Auth traffic statistics enter the show port access web based statis tics command Syntax aaa port access web based port list client limit 1 256 Specifies the maximum number of authenticated cli ents t...

Page 155: ...a port access web based ewa server ipv4 addr hostname page path Configures a connection with the web server at the specified IPv4 address ipv4 addr or host name ipv4 addr on which customized login web pages used for Web Authentication are stored A maximum of 3 web servers may be configured on the switch The optional page path parameter defines the direc tory path on the server where all customized...

Page 156: ...od interval the client is returned to its pre authentication state Default 300 seconds Syntax aaa port access web based port list max requests 1 10 Specifies the number of authentication attempts that must time out before authentication fails Default 2 Syntax aaa port access web based port list max retries 1 10 Specifies the number of the number of times a client can enter their user name and pass...

Page 157: ... after a successful login Any valid fully formed URL may be used for example http welcome server welcome htm or http 192 22 17 5 HP recommends that you provide a redirect URL when using Web Authentication Note The redirect url command accepts only the first 103 characters of the allowed 127 characters Use the no form of the command to remove a specified redirect URL Default There is no default URL...

Page 158: ...r each port includes Number of authorized and unauthorized clients VLAN ID number of the untagged VLAN used If the switch supports MAC based untagged VLANs MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions If tagged VLANs statically configured or RADIUS assigned are used Yes or No If client specific per port CoS Class of Service values are config...

Page 159: ...nt on the switch The IP address displayed is taken from the DHCP binding table learned through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If a web authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding ...

Page 160: ... for a client s IP address n a IPv6 a web authenticated client uses an IPv6 address n a no info DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table HP Switch config show port access web based clients 1 detailed Port Access Web Based Client Status Detailed Client Base Details Port 1 Session Status authenticated Session Time sec 6 Username webuse...

Page 161: ...ections setting for transmitting Wake on LAN traffic on egress ports Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0 the default VLAN ID is used unless overridden by a RADIUS assigned value HP Switch config show port access web based config Port Access Web Based Configuration DHCP Base Address 192 168 0 0 DHCP Subnet Mask 255 255 255 0 DHCP Lease Length 10...

Page 162: ...tailed information on the currently config ured Web Authentication settings for specified ports HP Switch config show port access web based config 1 detailed Port Access Web Based Detailed Configuration Port 1 Web based enabled Yes Client Limit 1 Client Moves No Logoff Period 300 Re Auth Period 0 Unauth VLAN ID 0 Auth VLAN ID 0 Max Requests 3 Quiet Period 60 Server Timeout 30 Max Retries 3 SSL Ena...

Page 163: ...oreauthenticationlogin fails Length of time quiet period supported between authentication login attempts HP Switch config show port access web based config auth server Port Access Web Based Configuration Client Client Logoff Re Auth Max Quiet Server Port Enabled Limit Moves Period Period Req Period Timeout 1 Yes 1 No 300 0 3 60 30 2 No 1 No 300 0 3 60 30 Syntax show port access web based config po...

Page 164: ...Incorporate CSS styles consistent with the appearance of your network Implementing Customized Web Auth Pages To implement enhanced Web Authentication pages you need to Configure and start a web server on your local network Customize the HTML template files and make them accessible to the web server Configure the switch to display the customized files by using the aaa port access web based ewa serv...

Page 165: ... Customizing HTML Templates When you customize an HTML template follow these guidelines Do not change the name of any of the HTML files index html accept html and so on Some template pages use Embedded Switch Includes ESIs or Active Server Pages These should not be modified when customizing HTML files ESIs behave as follows i A client s web browser sends a request for an HTML file The switch passe...

Page 166: ...gin Page index html Figure 4 14 User Login Page The index html file is the first login page displayed in which a client requesting access to the network enters a username and password In the index html Template file you can customize any part of the source code except for the form that processes the username and password entered by a client File Name Page index html 4 34 accept html 4 36 authen ht...

Page 167: ...ate index html html head title User Login title head body h1 User Login h1 p In order to access this network you must first log in p form action webauth loginprocess method POST table tr td Username td td input name user type text td tr tr td Password td td input name pass type password td tr tr td td td input type submit value Submit td tr table form body html ...

Page 168: ...ure the VLAN used by authorized clients specify a VLAN ID with the aaa port access web based auth vid command parameter when you enable Web Authentication Theaccept htmlfile containsthe following ESIs which shouldnot be modified The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an authenticated client while the client renews its IP address and gains...

Page 169: ...e Access Granted title The following line is required to automatically redirect meta http equiv refresh content GETWAUTHREDIRECTTIME URL GETWAUTHREDIRECTURL head body h1 Access Granted h1 The ESI tag below will be replaced with the time in seconds until the page redirects p You have been authenticated Please wait GETWAUTHREDIRECTTIME second while network connection refreshes itself p body html ...

Page 170: ...client login and is refreshed while user credentials are checked and verified Figure 4 19 HTML Code for Authenticating Page Template HP Web Authentication Template authen html html head title Authenticating title The following line is always required meta http equiv refresh content 2 URL webauth statusprocess head body h1 Authenticating h1 p Please wait while your credentials are verified p body h...

Page 171: ...ed client is assigned to the VLAN configured for unauthorized client sessions You can configure the VLAN used by unauthor ized clients with the aaa port access web based unauth vid command when you enable Web Authentication The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client while the client renews its IP address and gains ac...

Page 172: ...l html head title Invalid Credentials title The following line is required to automatically redirect meta http equiv refresh content GETWAUTHREDIRECTTIME URL GETWAUTHREDIRECTURL head body h1 Invalid Credentials h1 p Your credentials were not accepted However you have been granted gues account status Please wait GETWAUTHREDIRECCTTIME seconds while network connection refreshes itself p body html ...

Page 173: ...e the time period in seconds that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port access web based server timeout command when you enable Web Authentication Figure 4 23 HTML Code for Timeout Page Template HP Web Authentication Template timeout html html head title Timeout title head body h1 Timeout h1 p Your credentials could not be verifi...

Page 174: ... username and or password and is given another opportunity to log in The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials You can configure the number of times that a client can enter their user name and password before authentication fails with the aaa port access web based max retries commands when you enable Web Authent...

Page 175: ...on Template retry_login html html head title Invalid Credentials title The following line is required to automatically redirect the user back to the login page meta http equiv refresh content 5 URL EWA index html head body h1 Invalid Credentials h1 p Your credentials were not accepted You have GETWAUTHRETRIESLEFT retries left Please try again p body html ...

Page 176: ...ed to an SSL server to enter credentials for Web Authentication If you have enabled SSL on the switch you can enable secure SSL based Web Authentication by entering the aaa port access web based ssl login command when you enable Web Authentication The GETWAUTHSSLSRV ESI inserts the URL that redirects a client to an SSL enabled port on a server to verify the client s username and password This ESI ...

Page 177: ...redirect html html head title User Login SSL Redirect title meta http equiv refresh content 5 URL https GETWAUTHSSLSRV EWA index html head body h1 User Login SSL Redirect h1 p In order to access this network you must first log in p p Redirecting in 5 seconds to secure page for you to enter credentials or href https GETWAUTHSSLSRV EWA index html click here a p body html ...

Page 178: ...nt login fails and no VLAN is configured for unauthorized clients The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login To specify the time period before a new authentication request can be received by the switch configure a value for the aaa port access web based quiet period command when you enable Web Authentication This ESI should ...

Page 179: ...ovlan html html head title Access Denied title The line below is required to automatically redirect the user back to the login page meta http equiv refresh content GETWAUTHQUIETTIME URL EWA index html head body h1 Access Denied h1 p Your credentials were not accepted Please wait GETWAUTHQUIETTIME seconds to retry You will be redirected automatically to login page p body html ...

Page 180: ...t assignments have been made 3 Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encryption key to access the RADIUS server 5 Configure the switch for MAC Auth a Configure MAC Authentication on the switch ports you want to ...

Page 181: ... implementing the global MAC authentication password option it is important that the user database on the RADIUS server has the MAC authen tication password as the password for each device performing MAC authen tication Use this command to configure the global MAC authentication password Command Page Configuration Level aaa port access mac based addr format 4 49 no aaa port access mac based passwo...

Page 182: ... config Port Access MAC Based Configuration MAC Address Format no delimiter Password secretMAC1 Unauth Redirect Configuration URL Unauth Redirect Client Timeout sec 1800 Unauth Redirect Restrictive Filter Disabled Total Unauth Redirect Client Count 0 Client Client Logoff Re Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir 1 No 1 No 300 0 0 0 both 2 No 1 No 300 0 0 ...

Page 183: ...addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format multi colon specifies an aa bb cc dd ee ff format no delimiter uppercase specifies an AABBCCDDEEFF format single dash uppercase specifies an AABBCC DDEEFF format multi dash uppercase specifies an AA BB CC DD...

Page 184: ...the switch does not allow moves and when one does occur the user will be forced to re authenticate At least two ports from port s and to port s must be specified Use the no form of the command to disable MAC address moves between ports under MAC Auth control Default disabled no moves allowed Syntax aaa port access mac based e port list auth vid vid no aaa port access mac based e port list auth vid...

Page 185: ...te The client remains authenticated while the reauthentication occurs When set to 0 reauthentication is disabled Default 300 seconds Syntax aaa port access mac based e port list reauthenticate Forces a reauthentication of all attached clients on the port Syntax aaa port access mac based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an au...

Page 186: ...ed Message on the Switch Syntax no aaa port access web based access denied message access denied str radius response Specifies the text message ASCII string shown on the web page after an unsuccessful login attempt The message must be enclosed in quotes The no form of the command means that no message is displayed upon failure to authenticate Default The internal web page is used No message will b...

Page 187: ...ge Custom Please contact your system administrator to obtain authentication privileges Client Client Logoff Re auth Unauth Auth Ctrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir A1 Yes 1 No 300 60 1 2 both A2 Yes 18 No 999999999 999999999 0 0 both A3 Yes 22 No 999999999 999999999 4096 4096 both HP Switch config show port access web based config Port Access Web based Configuration DHC...

Page 188: ...s an example of the denied access message that appears when unauth vid is configured Figure 4 34 Example of Web Page with Configured Access Denied Message When unauth vid is Configured Figure 4 35 shows an example of a web page displaying the access denied message when un auth vid is not configured Invalid Credentials Your credentials were not accepted You may have limited network access Please wa...

Page 189: ...ed access denied message Invalid Credentials Your credentials were not accepted Please wait 96 seconds to retry You will be redirected automatically to the login page Unauthorized access to this network is prohibited Access to this network requires prior authorization from the System Administrator Please obtain the credentials prior to logging in Please contact your system administrator to obtain ...

Page 190: ...n vlan 1 name DEFAULT_VLAN untagged 1 14 19 24 A1 A4 ip address dhcp bootp no untagged 15 18 exit vlan 100 name auth vid untagged 15 18 ip address dhcp bootp exit radius server host 10 0 13 118 key secret aaa authentication port access eap radius snmp server community public Unrestricted aaa port access web based 5 aaa port access web based 5 auth vid 100 aaa port access web based 5 unauth vid 1 a...

Page 191: ...ation process HP Switch config show running config Running configuration J8692A Configuration Editor Created on release K 14 00x hostname HP Switch 3500yl 24G web management ssl qos dscp map 000000 priority 0 module 1 type J86xxA module 3 type J8694A no stack auto join vlan 1 name DEFAULT_VLAN untagged 1 14 19 24 A1 A4 ip address dhcp bootp no untagged 15 18 exit vlan 100 name auth vid untagged 15...

Page 192: ...sed for example http 14 29 16 192 80 myServer html or https company com myServer html Syntax no aaa port access mac based unauth redirect Configure the HTTP redirect registration server feature redirect URL str Enable HTTP redirect registration server feature by configuring the URL of the registration page An entry can have either an IP address or a DNS name Only one server can be configured Note ...

Page 193: ... page The switch takes this request and responds to the client browser with an HTTP redirect to the configured URL The client MAC address and interface port are appended as HTTP parameters 4 Before returning the initial registration page to the client the switch enables NAT so that all subsequent requests will go to the web server directly The initial HTML page is returned to the switch and then p...

Page 194: ...eb page Switch takes request and redirects to web server HTTP request for initial registration page includes client MAC client port switch IP or MAC Initial registration page returned Switch enables NAT so all subsequent requests go directly to web server Initial registration page Switch filters all traffic only forwards HTTP traffic destined to configured web server RADIUSisupdatedwithclient s us...

Page 195: ...ys the HTTP redirect configuration Figure 4 39 Example of HTTP Redirect Configuration Reauthenticating a MAC Auth Client Using SNMP The MIB variable hpicfUsrAuthMacAuthClientReauthentica teEntry in the hpicfUsrAuthMIB provides the capability to reauthenticate a specific MAC auth client on a port The MAC address and port are required for SNMP reauthentication HP Switch config show port access mac b...

Page 196: ...le HP Switch config aaa port access mac based unauth redirect https serverA com 124 registration server reg html Unconfiguring a MAC Auth Registration Server Each configured registration server s URL must be removed by specifying it exactly for example HP Switch config no aaa port access mac based unauth redirect https serverA com 124 registration server reg html Operating Notes for HTTP Redirect ...

Page 197: ... Number of authorized and unauthorized clients VLAN ID number of the untagged VLAN used If the switch supports MAC based untagged VLANs MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions If tagged VLANs statically configured or RADIUS assigned are used Yes or No If client specific per port CoS Class of Service values are configured Yes or No or th...

Page 198: ...ddress for each MAC authenticated client on the switch The IP address displayed is taken from the DHCP binding table learned through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If a MAC authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for ...

Page 199: ...ed for a client s IP address n a IPv6 a web authenticated client uses an IPv6 address n a no info DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table HP Switch config show port access mac based clients 1 detailed Port Access MAC Based Client Status Detailed Client Base Details Port 1 Session Status authenticated Session Time sec 6 Username clie...

Page 200: ...es or No Controlled directions setting for transmitting Wake on LAN traffic on egress ports Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0 the default VLAN ID is used unless overridden by a RADIUS assigned value HP Switch config show port access mac based config Port Access MAC Based Configuration MAC Address Format no delimiter Allow RADIUS assigned dyna...

Page 201: ...st detailed Displays more detailed information on the currently config ured MAC Authentication settings for specified ports HP Switch config show port access mac based config 1 detailed Port Access MAC Based Detailed Configuration Port 1 Web based enabled Yes Client Limit 1 Client Moves No Logoff Period 300 Re Auth Period 0 Unauth VLAN ID 0 Auth VLAN ID 0 Max Requests 3 Quiet Period 60 Server Time...

Page 202: ...ts or specified ports and includes RADIUS server specific settings such as Timeout waiting period Numberoftimeoutssupportedbeforeauthenticationlogin fails Length of time quiet period supported between authentication login attempts HP Switch config show port access mac based config auth server Port Access MAC Based Configuration Client Client Logoff Re Auth Max Quiet Server Port Enabled Limit Moves...

Page 203: ...iculties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applied to the port An a...

Page 204: ...4 72 Web and MAC Authentication Client Status ...

Page 205: ... 5 8 view the switch s TACACS server contact configuration n a page 5 9 configure the switch s authentication methods disabled page 5 10 configure the switch to contact TACACS server s disabled page 5 17 B Switch Configured for TACACS Operation Terminal A Directly Accessing the Switch Via Switch s Console Port Terminal B Remotely Accessing The Switch Via Telnet A Primary TACACS Server The switch p...

Page 206: ... authentication services Some other terms you may see in literature describing TACACS operation are communication server remote access server or terminal server These terms apply to a switch when TACACS is enabled on the switch that is when the switch is TACACS aware TACACS Server The server or management station configured as an access control server for TACACS enabled devices To use TACACS with ...

Page 207: ...e on local authentication refer to chapter 2 Configuring Username and Password Security TACACS Authentication This method enables you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central se...

Page 208: ...nstallation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect WebAgent access Refer to Controlling WebAgent Access When Using TACACS Authentication on page 5 28 General Authentication Setup Procedure It is important to test the TACACS service before fully implementing it Depending on the process and par...

Page 209: ...ator read only privilege level and the sets for logging in at the Manager read write privilege level The IP address es of the TACACS server s youwanttheswitchtouse for authentication If you will use more than one server determine which server is your first choice for authentication services The encryption key if any for allowingtheswitchtocommunicate with the server You can use either aglobalkeyor...

Page 210: ...correct local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method Caution You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be a...

Page 211: ...ing data that could affect the console access 9 When you are confident that TACACS access through both Telnet and the switch s console operates properly use the write memory command to save the switch s running config file to flash Configuring TACACS on the Switch Before You Begin If you are new to TACACS authentication HP recommends that you read the General Authentication Setup Procedure on page...

Page 212: ...empts the switch allows in a single login session and the primary secondary access methods configured for each type of access Syntax show authentication This example shows the default authentication configuration Command Page show authentication 5 8 show tacacs 5 9 aaa authentication 5 10 through 5 16 console Telnet num attempts 1 10 tacacs server 5 17 host ip addr 5 17 key 5 22 timeout 1 255 5 23...

Page 213: ...CACS Configuration Listing HP Switch config show authentication Status and Counters Authentication Information Login Attempts 3 Respect Privilege Disabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Local None Enable Enable Enable Access Task Primary Server Group Secondary Console Local None Telnet Local None Configuration for login and enable access to t...

Page 214: ...Option for Login When using TACACS to control user access to the switch you must first login with your username at the Operator privilege level using the password for Operator privileges and then login again with the same username but using the Manger password to obtain Manager privileges You can avoid this double login process by entering the privilege mode option with the aaa authentication logi...

Page 215: ...eturned to the switch by the TACACS server Default Single login disabled local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS server radius Authenticates with a password and other data configured on a RADIUS server local none If the pr...

Page 216: ...enables TACACS for a single login The authorized privilege level Operator or Manager is returned to the switch by the TACACS server local or tacacs local n a Specifies the primary method of authentication for the access method being configured local Use the username password pair configured locally in the switch for the privilege level being configured tacacs Use a TACACS server local or none none...

Page 217: ...root privilege level is the only level that will allow Manager level access on the switch Figure 5 4 Advanced TACACS Settings Section of the TACACS Server User Setup Then scroll down to the section that begins with Shell See Figure 5 5 Check the Shell box Check the Privilege level box and set the privilege level to 15 to allow root privileges This allows you to use the single login option ...

Page 218: ...Server User Setup As shown in the next table login and enable access is always available locally through a direct terminal connection to the switch s console port However for Telnet access you can configure TACACS to deny access if a TACACS server goes down or otherwise becomes unavailable to the switch ...

Page 219: ...hentication while configuring Enable Primary for TACACS authentication is not recommended as it defeats the purpose of using the TACACS authentication If you want Enable Primary log in attempts to go to a TACACS server then you should configure both Login Primary and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local authentication Access Method and Privilege Le...

Page 220: ...ry using TACACS server Secondary using Local HP Switch config aaa authentication console enable tacacs local Telnet Login Operator or Read Only Access Primary using TACACS server Secondary using Local HP Switch config aaa authentication Telnet login tacacs local Telnet Enable Manager or Read Write Access Primary using TACACS server Secondary using Local HP Switch config aaa authentication telnet e...

Page 221: ...rent encryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the ...

Page 222: ...rs having different encryp tion keys you can configure the switch to use different encryption keys for different TACACS servers no tacacs server host ip addr Removes a TACACS server assignment including its server specific encryption key if any tacacs server key key string encrypted key key string Configures an optional global encryption key Keys configured in the switch must exactly match the enc...

Page 223: ...nd to a request the switch tries the second address if any in the show tacacs list If the second address also fails then the switch tries the third address if any See figure 5 3 Example of the Switch s TACACS Configuration Listing on 5 9 The priority first choice second choice and third choice of a TACACS server in the switch s TACACS configuration depends on the order in which you enter the serve...

Page 224: ...ned in the TACACS server s that the switch will access for authentication This option is subordinate to any per server encryption keys you assign and applies only to accessing TACACS servers for which you have not given the switch a per server key See the host ip addr key key string entry at the beginning of this table You can configure a TACACS encryption key that includes a tilde as part of the ...

Page 225: ...command to delete both servers then use tacacs serverhost ip addr to re enter the 10 server first then the 15 server The servers would then be listed with the new first choice server that is HP Switch config show running config Running configuration J8692A Configuration Editor Created on release K 14 00x hostname HP Switch 3500yl 24G module 1 type J86xxA vlan 1 name DEFAULT_VLAN untagged 1 24 ip a...

Page 226: ...pts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 5 26 To configure north01 as a global encryption key HP Switch config tacacs server key north01 To configure north01 as a per server encryption key HP Switch config tacacs server host 10 28 227 63 key north01 An encryption key...

Page 227: ...keystring The keystring parameter is the encryption key in clear text Note The show tacacs command lists the global encryption key if configured However to view any configured per server encryption keys you must use show config or show config running if you have made TACACS configuration changes without executing write mem Configuring the Timeout Period The timeout period specifies how long the sw...

Page 228: ...not receive a response from the first choice TACACS server it attempts to query a secondary server If the switch does not receive a response from any TACACS server then it uses its own local username password pairs to authenti cate the logon request See Local Authentication Process on page 5 25 If a TACACS server recognizes the switch it forwards a user name prompt to the requesting terminal via t...

Page 229: ...thout a successful TACACS authentication the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again Local Authentication Process When the switch is configured to use TACACS it reverts to local authentica tion only if one of these two conditions exists Local is the authentication option for the access method being used TACACS is the p...

Page 230: ...In this case all prompts for local authentication will request only a local password However if you use the CLI or the WebAgent to configure usernames for local access you will see a prompt for both a local username and a local password during local authen tication Using the Encryption Key General Operation When used the encryption key sometimes termed key secret key or secret helpstopreventunauth...

Page 231: ...ame for all TACACS servers the switch will use for authentication then configure a global key in the switch If the key is different for one or more of these servers use server specific keys in the switch If you configure both a global key and one or more per server keys the per server keys will override the global key for the specified servers For example you would use the next command to configur...

Page 232: ... the following Configure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow WebAgent access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Disable WebAgent access to the switch by going to the System In...

Page 233: ...ation Invalid password The system does not recognize the username or the password or both Depending on the authentication method tacacs or local either the TACACS server application did not recognize the username password pair orthe username password pair did not match the username password pair configured in the switch No Tacacs servers responding TheswitchhasnotbeenabletocontactanydesignatedTACA...

Page 234: ...excludes because independent of TACACS the switch already denies access to such stations When TACACS is not enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password without also setting a local Manager password does not protect the switch from manager level access by unauthor ized persons When using the copy command to transfer ...

Page 235: ...users For accounting this can help you track network resource usage Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the HP switch Serial port Console Telnet SSH SFTP SCP WebAgent 8212zl 5400zl 4200vl 2800sasofsoftwareversionI 08 60 and 2600s as of software version H 08 58 switches Port Access 802 1X Feature Default Menu CLI W...

Page 236: ...be used for trend analysis capacity planning billing auditing and cost analysis RADIUS Administered CoS and Rate Limiting The switches covered in this guide take advantage of vendor specific attri butes VSAs applied in a RADIUS server to support these optional RADIUS assigned attributes 802 1p CoS priority assignment to inbound traffic on the specified port s port access authentication only Per Po...

Page 237: ...tchAuth MIB Management Information Base A management station running an SNMP networked device manage ment application such as HP PCM or HP OpenView can access the switch s MIB for read access to the switch s status and read write access to the switch s configuration For more information including the CLI command to use for disabling this feature refer to Using SNMP To View and Configure Switch Aut...

Page 238: ...on mechanism is known as an EAP type such as MD5 Challenge Generic Token Card and TLS Transport Level Security EXEC Session a service EXEC shell granted to the authenticated login user for doing management operations on the HP device Host See RADIUS Server NAS Network Access Server In this case a HP switch configured for RADIUS security operation RADIUS Remote Authentication Dial In User Service a...

Page 239: ...To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 6 72 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access type In the HP switch EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server When primary secondar...

Page 240: ...IUS authentication fails or does not respond Figure 6 1 Example of Possible RADIUS Access Assignments HP Switch config show authentication Status and Counters Authentication Information Login Attempts 3 Respect Privilege Disabled Login Login Login Access Task Primary Server Group Secondary Console Local Local Telnet Local None Port Access Local None Webui Local None SSH Local None Web Auth ChapRad...

Page 241: ... to wait for a server to respond to a request HP recommends that you begin with the default five seconds Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting This depends on how many RADIUS servers you have configured the switch to access Determine whether you want to bypass a RADIUS server that fails to respond to requests ...

Page 242: ... Type value received from the RADIUS server Refer to 1 Configure Authentication for the Access Methods You Want RADIUS To Protect on page 6 10 3 Configure the switch for accessing one or more RADIUS servers one primary server and up to two backup servers Note This step assumes you have already configured the RADIUS server s to support the switch Refer to the documentation provided with the RADIUS ...

Page 243: ...trieswhenthereisnoserver response to a RADIUS authentication request Default 3 range of 1 to 5 Server Dead Time The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request This avoids a wait for a request to time out on a server that is unavailable If you want to use this feature select a dead time period of 1 to ...

Page 244: ...or primary authentication you must config ure local for the secondary method This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail Syntax aaa authentication console telnet ssh web enable login local radius web based mac based chap radius peap radius Configures RADIUS as the primary password authentication method for console Tel...

Page 245: ...ndary authentication method used when there is a failure accessing the RADIUS servers allows clients to access the network unconditionally Use this method with care Figure 6 2 shows an example of the show authentication command displaying authorized as the secondary authentication method for port access Web auth access and MAC auth access Since the configuration of authorized means no authenticati...

Page 246: ...ig show authentication Status and Counters Authentication Information Login Attempts 3 Respect Privilege Disabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Local None Port Access Local Authorized Webui Local None SSH Local None Web Auth ChapRadius radius Authorized MAC Auth ChapRadius radius None Enable Enable Enable Access Task Primary Server Group Sec...

Page 247: ...authenticated user authorized for the Manager privilege level must authenticate again to change privilege levels Using the optional login privilege mode command overrides HP Switch config aaa authentication telnet login radius none HP Switch config aaa authentication telnet enable radius none HP Switch config aaa authentication ssh login radius none HP Switch config aaa authentication ssh enable r...

Page 248: ... Prompt User 7 Operator Any Other Type Any ValueExcept 6 or 7 Access Denied This feature applies to console serial port Telnet SSH and WebAgent access to the switch It does not apply to 802 1X port access Notes While this option is enabled a Service Type value other than 6 or 7 or an unconfigured null Service Type causes the switch to deny access to the requesting client The no form of the command...

Page 249: ... servers The switch uses the first server it successfully accesses Refer to Changing the RADIUS Server Access Order on page 6 72 For switches that have a separate out of band manage ment port the oobm parameter specifies that the RADIUS traffic will go through the out of band management OOBM port auth port port number Optional Changes the UDP destination port for authenti cation requests to the sp...

Page 250: ...ing authentication oraccounting sessionswiththespecified server This key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key Note Formerly when you saved the configuration file using Xmodem or TFTP the RADIUS encryption key infor mation was not saved in the file This ...

Page 251: ...sidered to be cur rent and accepted for processing A zero value means there is no time limit A non zero value indicates that the even timestamp attribute is expected as part of all Change of Authorization and Disconnect request messages If the timestamp attribute is not present the message is dropped Default 300 seconds no radius server host ip address key Use the no form of the command to remove ...

Page 252: ...is key is optional if you configure a server specific key for each RADIUS server entered in the switch Refer to 3 Configure the Switch To Access a RADIUS Server on page 6 15 Server timeout Defines the time period in seconds for authentica tion attempts If the timeout period expires before a response is received the attempt fails Server dead time Specifies the time in minutes during which the switc...

Page 253: ...nge 1 10 no radius server key global key string Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key Default Null encrypted key global key string Global encryption key specified using a base64 encoded a...

Page 254: ...ticatingaccessthroughTelnetandSSH Twooftheseservers use the same encryption key In this case your plan is to configure the switch with the following global authentication parameters Allow only two tries to correctly enter username and password Use the global encryption key to support the two servers that use the same key For this example assume that you did not configure these two servers with a s...

Page 255: ...lowing a request that did not receive a response Figure 6 6 Example of Global Configuration Exercise for RADIUS Authentication Switch config aaa authentication num attempts 2 Switch config radius server key My Global KEY 1099 Switch config radius server dead time 5 Switch config radius server timeout 3 Switch config radius server retransmit 2 Switch config write mem ...

Page 256: ...rimary Server Group Secondary Console Local None Telnet Radius None Webui Local None SSH Radius None HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 3 Retransmit Attempts 2 Global Encryption Key My Global Key 1099 Dynamic Authorization UDP Port 3799 Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 10 33 18 127 1812 18...

Page 257: ... Configuring the Switch for RADIUS Authentication on page 6 7 for more information about configuring RADIUS servers Figure 6 8 Example of RADIUS Server Group Command Output HP Switch config radius server host 10 33 18 151 acct port 1750 key source0151 HP Switch config write mem HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Atte...

Page 258: ...ot be edited The no form of the command removes the RADIUS server with the indicated IP address from the server group If that server was the last entry in the group the group is removed radius group name The group name of the RADIUS server group The name has a maximum length of 12 characters Up to five groups can be configured with a a maximum of three RADIUS servers in each group The first group ...

Page 259: ...ased port access to the switch Use peap mschapv2 when you want password verification without requiring access to a plain text pass word it is more secure Default chap radius port access local eap radius chap radius Configures local chap radius MD5 or eap radius as the primary password authentication method for port access The default primary authentication is local Refer to the documentation for y...

Page 260: ...OOBM 192 168 1 3 1812 1813 No 300 default_key No 192 168 3 3 1812 1813 No 300 grp2_key No 192 172 4 5 1812 1813 No 300 grp2_key No 192 173 6 7 1812 1813 No 300 grp2_key No 192 168 30 3 1812 1813 No 300 grp3_key No 192 172 40 5 1812 1813 No 300 grp3_key No 192 173 60 7 1812 1813 No 300 grp3_key No Group Name group2 Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 192 168 3 ...

Page 261: ...dius None Telnet Local radius None Port Access Local None Webui Local None SSH Local None Web Auth ChapRadius group3 None MAC Auth ChapRadius group3 None Enable Enable Enable Access Task Primary Server Group Secondary Console Local radius None Telnet Radius group2 None Webui Local None SSH Local None Server group information HP Switch config show accounting Status and Counters Accounting Informati...

Page 262: ...tications are not disabled when the RADIUS server is unavailable The switch initiates reauthentications of clients at the specified period and the clients must comply with the requirements for the reauthentication pro cedure exactly as is done for the authorized authentication method The table below summarizes the differences between the authorized method and the cached reauthentication method Cac...

Page 263: ...ndary method Allows reauthentications to succeed when the RADIUS server is unavailable Users already authenticated retain their currently assigned session attributes The primary methods forport access authentication are local chap radius or eap radius The primary method for web based or mac based authentica tion is chap radius The secondary methods can be none authorized or cached reauth The defau...

Page 264: ...r Web MAC authentication allows the first cached reauthentica tion and starts the cached reauth period 6 A number of cached reauthentications occur within the 900 seconds after the start of the cached reauth period in step 5 These have a period of 180 X seconds 7 The cached reauthentication period 900 seconds ends 8 The next reauthentication begins 180 seconds after the last cached reau thenticati...

Page 265: ...cation 4 The time between step 8 and step 9 is X seconds 5 The total time is 180 X 900 180 X which equals 900 2 180 X seconds Note The period of 1 to 30 seconds represented by X is not a firm time period the time can vary depending on other 802 1X and Web MAC auth parameters ...

Page 266: ...e configuration for the authentication features listed above excluding usernames passwords and keys Using SNMPsets a managementdevicecanchangetheauthenticationconfiguration includingchangesto usernames passwords andkeys Operatorread write access to the authentication MIB is always denied Security Note s All usernames passwords and keys configured in the hpSwitchAuth MIB are not returned via SNMP a...

Page 267: ...he following two commands Syntax snmp server mib hpswitchauthmib excluded included included Enables manager level SNMP read write access to the switch s authentication configuration hpSwitchAuth MIB excluded Disables manager level SNMP read write access to the switch s authentication configuration hpSwitchAuth MIB Default included Syntax show snmp server The output for this command has been enhanc...

Page 268: ..._____ SNMP Authentication Extended Password change Enabled Login failures Enabled Port Security Enabled Authorization Server Contact Enabled DHCP Snooping Enabled Dynamic ARP Protection Enabled Dynamic IP Lockdown Enabled Address Community Events Type Retry Timeout 15 255 131 57 public None trap 3 15 192 169 1 106 public None trap 3 15 15 255 135 68 public None trap 3 15 15 255 135 235 public None...

Page 269: ...w the Current Authentication MIB Access State HP Switch config show run Running configuration J9091A Configuration Editor Created on release K 15 01 000x hostname HP Switch ip default gateway 10 10 24 55 vlan 1 name DEFAULT_VLAN untagged A1 A24 B1 B4 ip address 10 10 24 100 255 255 255 0 exit snmp server community public Operator snmp server mib hpSwitchAuthMIB excluded password manager Indicatest...

Page 270: ...t the requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level of th...

Page 271: ...onfigure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow WebAgent access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Use one of the following methods to disable WebAgent access to the switch via h...

Page 272: ...the services for a user by enabling AAA RADIUS authorization The NAS uses the information set up on the RADIUS server to control the user s access to CLI commands The authorization type implemented on the switches covered in this guide is the commands method This method explicitly specifies on the RADIUS server which commands are allowed on the client device for authenticated users This is done on...

Page 273: ... which indicates whether the user has permission to execute the commands in the list See Configuring the RADIUS Server on page 6 40 After the Access Accept packet is deliver the command list resides on the switch Any changes to the user s command list on the RADIUS server are not seen until the user is authenticated again Syntax no aaa authorization commands radius none Configures authorization fo...

Page 274: ...f commands that are permitted or denied execution by the user are called regular expressions The system compares those regular expressions against the full command name to determine whether the user is allowed to execute the command For example assume a RADIUS user is defined as follows User1 User Password hpswitch Service Type Administrative User HP Command Exception 1 Deny_list HP Command String...

Page 275: ... configure show running config In this case User1 is blocked from executing the commands configure and show running config but is able to execute the show config command The attributes supported with commands authorization are HP Command String List of commands regular expressions that are permitted or denied execution by the user The commands are delimited by semi colons and must be between 1 and...

Page 276: ... the switch Not present PermitList DenyOthers 0 Authenticated user can only execute aminimalsetofcommands thosethat are available by default to any user Commands List DenyList PermitOthers 1 Authenticated user may execute all commands except those in the Commands list Commands List PermitList DenyOthers 0 Authenticated user can execute only those commands provided in the Commands List plus the def...

Page 277: ...ictionary file for example hp ini containing the HP VSA definitions as shown in the example below User Defined Vendor The Name and IETF vendor code and any VSAs MUST be unique One or more VSAs named max 255 Each named VSA requires a definition section Types are STRING INTEGER IPADDR The profile specifies usage IN for accounting OUT for authorization MULTI if more than a single instance is allowed ...

Page 278: ...e sure regedit is not running as it can prevent registry backup restore operations Are you sure you want to proceed Y or N y Parsing hp ini for addition at UDV slot 0 Stopping any running services Creating backup of current config Adding Vendor HP added as RADIUS HP Done Checking new configuration New configuration OK Re starting stopped services 4 Start the registry editor regedit and browse to H...

Page 279: ...face Configuration Group Setup User Setup To enable the processing of the HP Command String VSA for RADIUS accounting 1 Select System Configuration 2 Select Logging 3 Select CSV RADIUS Accounting In the Select Columns to Log section add the HP Command String attribute to the Logged Attributes list 4 Select Submit 5 Select Network Configuration In the AAA Clients section select an entry in the AAA ...

Page 280: ...y dictionary hp to that location Open the existing dictionary file and add this entry INCLUDE dictionary hp 4 You can now use HP VSAs with other attributes when configuring user entries dictionary hp As posted to the list by User user_email Version Id dictionary hp v 1 0 2006 02 23 17 07 07 VENDOR Hp 11 HP Extensions ATTRIBUTE Hp Command String 2 string Hp ATTRIBUTE Hp Command Exception 3 integer ...

Page 281: ...lient sessions are already running all clients are on the same untagged VLAN unless MAC based VLANs are enabled Please see MAC Based VLANs on page 6 51 If the RADIUS server subsequently authenticates a new client but attempts to re assign the port to a different untagged VLAN than the one already in use for the previously existing authenticated client sessions the connection for the new client wil...

Page 282: ...es The following attributes are included in Access Request and Access Account ing packets sent from the switch to the RADIUS server to advertise switch capabilities report information on authentication sessions and dynamically reconfigure authentication parameters MS RAS Vendor RFC 2548 Allows HP switches to inform a Micro soft RADIUS server that the switches are from HP Networking This feature as...

Page 283: ...ticated user In this case you can change the userprofile onthe RADIUSserverandhavethenew authorizationsettings take effect immediately in the active client session The Change of Autho rizationattributeprovidesthemechanismtodynamicallyupdateanactive client session with a new user policy that is sent in RADIUS packets See figures 6 16 and 6 17 See 3 Configure the Switch To Access a RADIUS Server on ...

Page 284: ...nformation Authorization Client IP Address 154 23 45 111 Unknown PKT Types Received 0 Disc Reqs 2 CoA Reqs 1 Disc Reqs Authorize Only 0 CoA Reqs Authorize Only 0 Disc ACKs 2 CoA ACKs 1 Disc NAKs 0 CoA NAKs 0 Disc NAKs Authorize Only 0 CoA NAKs Authorize Only 0 Disc NAKs No Ses Found 0 CoA NAKs No Ses Found 0 Disc Reqs Ses Removed 0 CoA Reqs Ses Changed 0 Disc Reqs Malformed 0 CoA Reqs Malformed 0 ...

Page 285: ...icatedclientis present on theunauthVLAN and another client successfully authenticates on that port the unauthenti cated client is kicked off the port When a MBV cannot be applied due to a conflict with another client on that port a message indicating VID arbitration error is logged When a MBV cannot be applied due to lack of resources a message indicating lack of resources is logged There is no co...

Page 286: ...ounting Provides records containing the information listed below when system events occur on the switch including system reset system boot and enabling or disabling of system accounting Acct Session Id Acct Status Type Acct Terminate Cause Acct Authentic Acct Delay Time Acct Input Packets Acct Output Packets Acct Input Octets Nas Port Acct Output Octets Acct Session Time User Name Service Type NAS...

Page 287: ...ch does not learn the IP address after a minute it sends the accounting request packet to the RADIUS server without the Framed IP Address attribute If the IP address is learned at a later time it will be included in the next accounting request packet sent The switch forwards the accounting information it collects to the designated RADIUS server where the information is formatted stored and managed...

Page 288: ... in the same management session the default same Acct Session ID for all accounting service types used in the same management session Unique Acct Session ID Operation In the Unique mode the default the various service types running in a management session operate as parallel independent processes Thus during a specific management session a given service type has the same Acct Session ID for all ac...

Page 289: ...Name fred NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 NAS Port Type Virtual Calling Station Id 172 22 17 101 HP Command String logout Acct Delay Time 0 Acct Session Id 003300000008 Acct Status Type Stop Service Type NAS Prompt User Acct Authentic RADIUS NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 User Name fred Calling Station Id 172 22 17 101 Acct Terminate Cause User Request ...

Page 290: ...cct Status Type Stop Service Type NAS Prompt User Acct Authentic RADIUS User Name fred NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 NAS Port Type Virtual Calling Station Id 172 22 17 101 HP Command String logout Acct Delay Time 0 Acct Session Id 00330000000B Acct Status Type Stop Service Type NAS Prompt User Acct Authentic RADIUS NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 User ...

Page 291: ...y two backup The switch operates on the assumption that a server can operate in both accounting and authentication mode Refer to the documentation for your RADIUS server application Use the same radius server host command that you would use to configure RADIUS authentication Refer to 1 Configure the Switch To Access a RADIUS Server on page 6 58 RADIUS Accounting Commands Page no radius server host...

Page 292: ... and incrementing of this ID per CLI command for the Command service type Refer to Unique Acct Session ID Operation on page 6 54 Common Establishes the same Acct Session ID value for all service types including successive CLI commands in the same management session 3 Configure accounting types and the controls for sending reports to the RADIUS server Accounting types exec page 6 52 network page 6 ...

Page 293: ...erver from the configuration acct port port number Optional Changes the UDP destination port for accounting requests to the specified RADIUS server If you do not use this option the switch automatically assigns the default accounting port number Default 1813 key key string Optional Specifies an encryption key for use during accounting or authentication sessions with the speci fied server This key ...

Page 294: ...ct Session ID Operation HP Switch config radius server host 10 33 18 151 acct port 1750 key source0151 HP Switch config write mem HP Switch config show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Attempts 3 Global Encryption Key Dynamic Authorization UDP Port 3799 Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 10 33 18 1...

Page 295: ...stem accounting is turned on or off Note that there is no time span associated with using the system option It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs common Configures the switch to apply the same Acct Ses sion ID to all accounting service types in the same manage ment session For more on these options refer to Acct Sessio...

Page 296: ...nd of the session Both notices include the latest data the switch has collected for the requested accounting type Do not wait for an acknowledgement Stop Only Appliestothenetwork exec system andcommandservice types as described below Send a stop record accounting notice at the end of the accounting session The notice includes the latest data the switch has collected for the requested accounting ty...

Page 297: ...he session ID was configured as common Syntax no aaa accounting exec network system start stop stop only radius no aaa accounting command stop only interim only radius Configures RADIUS accounting service type and how data will be sent to the RADIUS server exec network system command Specifies an accounting service type to configure Refer to Accounting Service Types on page 6 61 start stop Applies...

Page 298: ... HP Switch config aaa accounting exec start stop radius HP Switch config aaa accounting system stop only radius HP Switch config aaa accounting commands interim update radius HP Switch config show accounting Status and Counters Accounting Information Interval min 0 Suppress Empty User No Sessions Identification Common Type Method Mode Server Group Network None Exec Radius Start Stop System Radius ...

Page 299: ...1 242 15 NAS Identifier gsf_dosx_15 Calling Station Id 0 0 0 0 Acct Delay Time 0 Acct Session Id 003600000002 Acct Status Type Interim Update Service Type NAS Prompt User Acct Authentic Local NAS IP Address 10 1 242 15 NAS Identifier gsf_dosx_15 NAS Port Type Virtual Calling Station Id 0 0 0 0 HP Command String reload Acct Delay Time 0 Acct Session Id 003600000001 Acct Status Type Accounting Off N...

Page 300: ...ure 6 24 Example of Optional Accounting Update Period and Accounting Suppression on Unknown User Syntax no aaa accounting update periodic 1 525600 Sets the accounting update period for all accounting ses sions on the switch The no form disables the update function and resets the value to zero Default zero dis abled Syntax no aaa accounting suppress null username Disables accounting for unknown use...

Page 301: ... a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Accounting Services on page 6 52 HP Switch show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 10 Retransmit Attempts 2 Global Encryption Key myg10balkey Dynamic Authorization UDP Port 3799 Source IP Sel...

Page 302: ...l as a timeout A send to a different server is counted as an Accounting Request as well as a timeout Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses Bad Authenticators The number of RADIUS Accountin...

Page 303: ...this server Access Rejects The number of RADIUS Access Reject packets valid or invalid received from this server Responses The number of RADIUS packets received on the accounting port from this server Term Definition Syntax show authentication Displays the primary and secondary authentication meth ods configured for the Console Telnet Port Access 802 1X and SSH methods of accessing the switch Also...

Page 304: ...sabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Radius None Port Access Local None Webui Local None SSH Radius None Web Auth ChapRadius radius None MAC Auth ChapRadius radius None Enable Enable Enable Access Task Primary Server Group Secondary Console Local None Telnet Radius None Webui Local None SSH Radius None HP Switch config show radius authentica...

Page 305: ...s and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch HP Switch config show accounting Status and Counters Accounting Information Interval min 5 Suppress Empty User No Sessions Identification Common Type Method Mode Se...

Page 306: ...e server addresses they are listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed second in the list Thus to move a server address up in the list you must delete it from the list ensure that the position to which you want to move it is vacant and then re enterit Forexample s...

Page 307: ...t in the list 4 Re enter 10 10 10 1 Because the only position open is the third position this address becomes last in the list HP Switch show radius Status and Counters General RADIUS Information Deadtime min 0 Timeout secs 5 Retransmit Attempts 3 Global Encryption Key Dynamic Authorization UDP Port 3799 Source IP Selection Outgoing Interface Auth Acct DM Time Server IP Addr Port Port CoA Window E...

Page 308: ... 0 Timeout secs 5 Retransmit Attempts 3 Global Encryption Key Dynamic Authorization UDP Port 3799 Source IP Selection Outgoing Interface Auth Acct DM Time Server IP Addr Port Port CoA Window Encryption Key OOBM 10 10 10 3 1812 1813 No 300 No 10 10 10 2 1812 1813 No 300 No 10 10 10 1 1812 1813 No 300 No Removes the 3 and 1 addresses from the RADIUS server list Insertsthe 3 addressinthefirstposition...

Page 309: ...ount names To do this groups are created that contain up to 16 user accounts The group has a list of match commands that determine if that user is authorized to execute that command Up to 100 local user accounts are supported The local user accounts are stored in the configuration as an SHA1 hash which is only displayed if include credentials is enabled A password is required for the local user ac...

Page 310: ...ot contain spaces Duplicate names are not allowed You can create a maximum of 16 groups The name of the group can have a maximum of 16 characters 1 2147483647 The evaluation order for the match commands match command command string The command string is the CLI command It must be surrounded in double quotes if it contains any spaces for example vlan The command string is a POSIX regular expression...

Page 311: ...ect Order Some commands cause the switch CLI to enter a special context such as test mode and the input is not processed by the normal CLI Keyboard input is not checked against the command authorization group If these special contexts are permitted the user can proceed outside the control and logging of the command group configuration Configuring a Local User for a Group Local manager user logins ...

Page 312: ...er for a defined group local user username The local user being added to the authorization group The username can have a maximum of 16 characters It must not contain spaces and is case sensitive group group name The authorization group the local user belongs to The group must have been created already password plaintext sha1 password The plaintext password string can have a maximum of 16 character...

Page 313: ...rmation about users and command authorization for command groups Specifying the group parameter without any group names displays information for all configured groups HP Switch config show authorization group Local Management Groups Authorization Information Group Name Redgroup Username User1 User2 Sequence Permission Command Expression Log 100 Permit configure Disable 200 Permit vlan Disable Grou...

Page 314: ...anges are always applied to the port on the authenticator switch associated with the supplicant being authenti cated Note All the changes requested by the VSAs must be valid for the switch configura tion For example if either MAC based or Web based port access is configured while 802 1X port access is in client mode a RADIUS client with a VSA to change the 802 1X port access to port based mode is ...

Page 315: ...he VSA Values range from 0 to 256 clients A zero client limit means this VSA is disabled This is an HP proprietary VSA with a value of 11 HP Port Client Limit WA This VSA temporarily alters the Web authentication client limit to the value contained in the VSA Values range from 0 to 256 clients A zero client limit means this VSA is disabled This is an HP proprietary VSA with a value of 12 HP Port A...

Page 316: ... access is in port mode If the 802 1X client limit is configured with a value from 1 32 the port access is in user mode Figure 6 38 Example of Summary Configuration Information Showing RADIUS Overridden Client Limits Syntax show port access summary radius overridden Displays summary configuration information for all ports including the ports that have client limits set by RADIUS VSAs radius overri...

Page 317: ...not supported The new VSAs are not supported in IDM and they cannot be specified in the configurations The new VSAs must be configured manually If the RADIUS server delivers a new VSA to an authenticator switch that does not understand it the Access Accept message is rejected HP Switch config show port access summary radius overridden Port Access Status Summary Port access authenticator activated ...

Page 318: ...er is correctly configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions...

Page 319: ...be IPv4 capable Server must support IPv4 and have an IPv4 address Service Application Standard RADIUS Attribute1 HP Vendor Specific RADIUS Attribute VSA Cos Priority per user 59 40 Ingress Rate Limiting per user 46 Egress Rate Limiting per port2 48 ACLs IPv6 and or IPv4 ACEs NAS Filter Rule per user 92 61 NAS Rules IPv6 sets IP mode to IPv4 only or IPv4 and IPv6 per user 63 1 HP recommends using t...

Page 320: ...or information on support for the above services in the PCM application using the HP PMC Identity Driven Management IDM plug in refer to the documentation for these applications on the HP web site at www hp com All of the RADIUS based services described in this chapter can be used without PCM or HP PMC IDM support if desired ...

Page 321: ...icated on a switch port Note Beginning with software release K 14 01 this attribute is assigned per authenticated user instead of per port Standard Attribute used in the RADIUS server 59 This is the preferred attribute for new or updated configurations Vendor Specific Attribute used in the RADIUS server This attribute is maintained for legacy configurations HP vendor specific ID 11 VSA 40 Setting ...

Page 322: ...ilable for ingress traffic from an authenticated client can be affected by the total bandwidth available on the client port Refer to Per Port Bandwidth Override on page 7 6 Egress Outbound Rate Limiting Per Port Assigns a RADIUS configuredbandwidth limit to the outbound traffic sentto a switch port Vendor Specific Attribute used in the RADIUS server HP vendor specific ID 11 VSA 48 string HP Settin...

Page 323: ...their respective incremental values resulting in applied rates lower than the RADIUS assigned rates However others match their respective incremental values resulting in no difference between the RADIUS assigned rate limits and the applied rate limits Table 7 4 Examples of Assigned and Applied Rate Limits RADIUS Assigned Bits Per Second Rate Limit Applied Rate Limiting Increment 1 10 999 999 100 K...

Page 324: ...ps 50 of available bandwidth and is receiving 450 000 Kbps of traffic from existing clients If a RADIUS server then authenticates a new client with an ingress rate limit of 100 000 Kbps the maximum ingress rate limit actually available for the new client is 50 000 Kbps as long as the bandwidth usage by the other clients already on the port remains at 450 000 Kbps For more on static rate limiting r...

Page 325: ...mit all bcast icmp mcast in kbps percent Outbound Egress Rate Limiting rate limit all bcast icmp mcast out kbps percent Appliesper port thatis toall clients on the port Uses the value assigned to the port by the most recent instance of client authentication Syntax show port access web based clients port list detail mac based clients port list detail authenticator clients port list detail If the sw...

Page 326: ... of 3 an inbound rate limit of 10 000 kbps and an outbound rate limit of 50 000 kbps then The inbound traffic from client X will be subject to a priority of 3 and inbound rate limit of 10 000 kbps Traffic from other clients using the port will not be affected by these values The combined rate limit outbound for all clients using the port will be 50 000 kbps until either all client sessions end or ...

Page 327: ...ssion for client X is still active then the port operates with an outbound rate limit of 500 kbps for both clients Figure 7 1 Example Illustrating Results of Client Authentication on Port 4 Assignment Method on Port 10 802 1p Inbound Rate Limit Outbound Rate Limit Statically Configured Values 7 100 000 kbs 100 000 kbs RADIUS assigned when client X authenticates 3 10 000 kbs 50 000 kbs Combined rat...

Page 328: ...ride Disabled Disabled No override 2 Disabled Disabled No override Disabled Disabled No override 3 1000 kbps Override 1000 kbps 50000 4 50 Override 50 50000 5 50 No override 50 No override Ports3 5haveCLI configuredinboundper port rate limits and clients with RADIUS assigned inbound per client rate limits To see the per client RADIUS settings use the command illustrated in figure 7 1 Ports 3 5 als...

Page 329: ...ontrol Lists ACLs in this manual the chapter titled IPv6 Access Control Lists ACLs in thelatest IPv6 Configuration Guide for your switch Terminology ACE See Access Control Entry below Access Control Entry ACE An ACE is a policy consisting of a packet handling action and criteria to define the packets on which to apply the action For ACE details refer to ACE Syntax in RADIUS Servers on page 7 26 Ac...

Page 330: ...P traffic from any source to any destination This statement is the implicit final statement in an ACL Dynamic ACL See RADIUS assigned ACL Extended ACL This is an IPv4 access control list that uses layer 3 criteria composed of source and destination IPv4 addresses and optionally TCP UDP port ICMP IGMP precedence or ToS criteria to determine whether there is a match with an IP packet Except for RADI...

Page 331: ... ACE The prefix length is specified in CIDR format by nn immediately following the specified SA or DA address For example if the SA prefix in an ACE is 2001 db8 127 48 then the first 48 bits in the SA of a packet being com pared to that ACE must be the same to allow a match In this case bits 49 through 128 are not compared and are termed a wildcard For the IPv4 equivalent see ACL Mask RADIUS Assig...

Page 332: ...also Access Control List VSA Vendor Specific Attribute A value used in a RADIUS based config uration to uniquely identify a networking feature that can be applied to a port on a given vendor s switch during an authenticated client session Wildcard The part of a mask that indicates the bits in a packet s IP addressing that do not need to match the corresponding bits specified in an ACL See also ACL...

Page 333: ... is identified by a unique username password pair or client MAC address and applies only to IP traffic entering the switch from clients that authenticate with the required unique credentials The switch allows multiple RADIUS assigned ACLs on a given port up to the maximum number of authenticated clients allowed on the port Also a RADIUS assigned ACL for a given client s traffic can be assigned reg...

Page 334: ...anipulation of data carried in IP packet transmissions they should not be relied upon for a complete edge security solution Depending on the ACL configuration in the RADIUS server the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic These ACLs do not filter non IP traffic such as AppleTalk and IPX ACL Type Function IPv4 IPv6 VACL Static ACL assignment to...

Page 335: ...ge of 1 199 or an alphanumeric name Supports dynamic assignment to filter only the IP traffic entering the switch from an authenticated client on the port to which the client is connected IPv6 traffic can be switched IPv4 traffic can be routed or switched For either IP traffic family includes traffic having a DA on the switch itself Supports static assignments to filter switched IPv6 traffic enter...

Page 336: ...h through a port on that VLAN as well as any inbound traffic having a DA on the switch itself An RACL can be applied to outbound IPv4 traffic on a VLANtofiltersroutedIPv4trafficleavingtheswitchthrough a port on that VLAN and includes routed IPv4 traffic generated by the switch itself A VACL can be applied on a VLAN to filter either IPv4 or IPv6 traffic entering the switch through a port on that VL...

Page 337: ... IPv4 traffic then the ACL will implicitly deny any inbound IPv6 traffic from the authenticated client If the filter rule used for a RADIUS based ACL is the option for specifying bothIPv4 and IPv6 traffic then the ACL filter both IP traffic types according to the ACEs included in the RADIUS assigned ACL When the client session ends the switch removes the RADIUS assigned ACL from the client port No...

Page 338: ...ound on the switch 2 Plan ACLs to execute traffic policies Apply ACLs on a per client basis where individual clients need differ ent traffic policies or where each client must have a different user name password pair or will authenticate using MAC authentication Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same username password pair...

Page 339: ...spect of maintaining network security However because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IP packet transmissions they should not be relied upon for a complete security solution Operating Rules for RADIUS Assigned ACLs Relating a Client to a RADIUS Assigned ACL A RADIUS assignedACLforaparticularclientmustbe configuredintheR...

Page 340: ... Same Port Ona portconfiguredfor802 1X user based access where multiple clients are connected if a given client s authentication results in a RADIUS assigned ACL then the authentication of any other client concurrently using the port must also include a RADIUS assigned ACL Thus if a RADIUS server is configured to assign a RADIUS assigned ACL when client X authen ticates but is not configured to do...

Page 341: ...r to the docu mentation provided with the application Note This application requires a RADIUS server having an IPv4 address Clients can be dual stack IPv4 only or IPv6 only A RADIUS assigned ACL configuration in a RADIUS server includes the following elements Nas Filter Rule attributes standard and vendor specific ACL configuration entered in the server and associated with specific username passwo...

Page 342: ...on the IPv6 option refer to Set IP Mode below Set IP Mode Used with the Nas filter Rule attribute described above to provide IPv6 traffic filtering capability in an ACE HP Nas Rules IPv6 63 Vendor Specific Attribute When using the standard attribute 92 described above in a RADIUS assigned ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client one instance of this VSA must b...

Page 343: ...ter Rule deny in tcp from any to 10 10 10 1 23 Nas filter Rule deny in tcp from any to 0 23 In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the any destination you must use two ACEs to specify the destination addresses For example HP Nas Rules IPv6 1 Nas filter Rule deny in tcp from any to 10 10 10 1 23 Nas filter Rule deny in tcp from any to fe80 23 23 To...

Page 344: ...nded to filter inbound IPv6 traffic from an authenticated client Refer also to table 7 7 Nas Filter Rule Attribute Options on page 7 24 HP Nas filter Rule Legacy HP VSA for filtering inbound IPv4 traffic only from an authenticated client Drops inbound IPv6 traffic from the client Refer also to table 7 7 Nas Filter Rule Attribute Options on page 7 24 Must be used to enclose and identifies a complet...

Page 345: ...sed instead of either of the above options For example all of the following destinations are for IPv4 traffic HP Nas filter Rule permit in tcp from any to any 23 HP Nas filter Rule permit in ip from any to 10 10 10 1 24 HP Nas filter Rule deny in ip from any to any Specifies any IPv4 or IPv6 destination address if the ACL uses the HP Nas Rules IPv6 VSA with an integer setting of 1 Refer to table 7...

Page 346: ...fix specifies the number of leftmost bits in a packet s destination IPv6 address that must match the corresponding bits in the destination IPv6 address listed in the ACE For example a destination of FE80 1b 127 112 in the ACE means that a match occurs when an inbound packet of the designated IPv6 type from the authenticated client has a destination IPv6 address where the first 112 are FE80 1b The ...

Page 347: ... and a password of run10kFast a client having a MAC address of 08 E9 9C 4F 00 19 The ACL in this example must achieve the following permit http TCP port 80 traffic from the client to the device at 10 10 10 101 deny http TCP port 80 traffic from the client to all other devices permit all other traffic from the client to all other devices To configure the above ACL you would enter the username passw...

Page 348: ...the VSA for RADIUS Assigned IPv6 and IPv4 ACLs in a FreeRADIUS Server mobilE011 Auth Type Local User Password run10kFast Nas FILTER Rule permit in tcp from any to host 10 10 10 101 80 Nas FILTER Rule deny in tcp from any to any 80 Nas FILTER Rule permit in ip from any to any 08E99C4F0019 Auth Type Local User Password 08E99C4F0019 Nas FILTER Rule permit in tcp from any to host 10 10 10 101 80 Nas F...

Page 349: ...xample suppose that you wanted to create ACL support foraclienthaving ausernameof Admin01 anda passwordof myAuth9 The ACL in this example must achieve the following Permit http TCP port 80 traffic from the client to the device at FE80 a40 Deny http TCP port 80 traffic from the client to all other IPv6 addresses Permit http TCP port 80 traffic from the client to the device at 10 10 10 117 Deny http...

Page 350: ...filter rule permit in tcp from any to FE80 a40 80 Nas filter rule deny in tcp from any to 0 80 Nas filter rule permit in tcp from any to 10 10 10 117 80 Nas filter rule deny in tcp from any to 0 0 0 0 0 80 Nas filter rule deny in tcp from any to any 23 Nas filter rule permit in ip from any to any Client s Username 802 1X or Web Authentication Client s Password 802 1X or Web Authentication In an AC...

Page 351: ...d thekeyusedintheFreeRADIUS clients conffile Forexample iftheswitch IP address is 10 10 10 125 and the key secret is 1234 you would enter the following in the server s clients conf file Figure 7 10 Example of Switch Identity Information for a FreeRADIUS Application 3 For a given client username password pair create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS users file Remember that...

Page 352: ...her IPv4 traffic from the client to all other devices To configure the above ACL you would enter the username password and ACE information shown in figure 7 11 into the FreeRADIUS users file Figure 7 11 Example of Configuring a FreeRADIUS Server To Filter IPv4 Traffic for a Client Using the Correct Username and Password Credentials User 10 Auth Type Local User Password auth7X HP Nas Rules IPv6 1 H...

Page 353: ...ny IPv6 traffic from the client assumes that HP Nas Rules IPv6 1 does not exist elsewhere in the ACL Refer to table 7 7 on page 7 24 for more on HP Nas Rules IPv6 HP Nas Filter Rule permit in ip from any to any Nas filter Rule permit in ip from any to any HP Nas Rules IPv6 2 Explicitly Denying Inbound Traffic From an Authenticated Client Any of the following three options for ending a RADIUS assig...

Page 354: ...er should be accessible to the switch and configured to support authentication requests from clients using the switch to access the network For more on RADIUS configuration refer to chapter 6 RADIUS Authentication and Accounting 2 Configure RADIUS network accounting on the switch optional aaa accounting network start stop stop only radius You can also view ACL counter hits using either of the foll...

Page 355: ...ion and operation refer to chapter 13 Configuring Port Based and User Based Access Control 802 1X in this guide MAC Authentication Option Syntax aaa port access mac based port list This command configures MAC authentication on the switch and activates this feature on the specified ports For more on MAC authentication refer to chapter 4 Web and MAC Authentica tion Web Authentication Option Syntax a...

Page 356: ...ated client is configured to filter IPv4 traffic only or both IPv4 and IPv6 traffic Refer to Table 7 7 on page 7 24 for more on this topic the explicit ACEs switch port and client MAC address for each ACL dynamically assigned by a RADIUS server as a response to client authentication If cnt counter is included in an ACE then the output includes the current number of inbound packet matches the switc...

Page 357: ...g is not enabled for the ACL assigned to the authenticated client Syntax show port access web based mac based authenticator clients port list detailed For ports in port list configured for authentication shows the details of the RADIUS assigned features listed below that are active as the result of a client authentication Ports in port list that are not configured for authentication are not listed...

Page 358: ...N IDs VIDs of any tagged VLANs currently supporting the authen ticated connection RADIUS ACL List Lists the explicit ACEs in the ACL assigned to the port for the authenticated client Includes the ACE Hit Count matches for ACEs configured with the cnt option Refer to ACE Syntax in RADIUS Servers on page 7 26 If a RADIUS ACL for the authenticated client is not assigned to the port No Radius ACL List...

Page 359: ...Client Status Detailed Client Base Details Port 9 Session Status authenticated Session Time sec 5 Username acluser1 MAC Address 0017a4 e6d787 IP n a Access Policy Details COS Map 77777777 In Limit Kbps 1000 Untagged VLAN 10 Out Limit Kbps Not Set Tagged VLANs 20 RADIUS ACL List deny in 23 from any to 10 0 8 1 24 23 CNT Hit Count 1 permit in 1 from any to 10 0 10 1 24 CNT Hit Count 112 deny in udp ...

Page 360: ...152 153 destination unreachable packet too big time exceeded parameter problem echo request echo reply multicast listener query multicast listener reply multicast listener done router solicitation router advertisement neighbor solicitation neighbor advertisement redirect message router renumbering icmp node information query icmp node information response inverse neighbor discovery solicitation me...

Page 361: ... been exceeded An IPv6 ACE has been received on a port and either the HP Nas Rules IPv6 attribute is missing or HP Nas Rules IPv6 2 is configured Refer to table 7 7 on page 7 24 for more on this attribute Monitoring Shared Resources Currently active RADIUS based authentication sessions including HP PMC IDM client sessions using RADIUS assigned ACLs share internal switch resources with several othe...

Page 362: ...7 44 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic RADIUS Assigned Access Control Lists ...

Page 363: ... Client Public Key Authentication Login Operator Level with User Password Authentication Enable Manager Level This option uses one or more public keys from clients that must be stored on the switch Only a client with a private key that matches a stored public key can gain access to the switch The same private key can be stored on one or more clients Feature Default Menu CLI WebAgent Generating a p...

Page 364: ...switch authen ticates itselfto SSH clients Users on SSH clients then authenticate themselves to the switch login and or enable levels by providing passwords stored locally on the switch or on a TACACS or RADIUS server However the client does not use a key to authenticate itself to the switch Figure 8 2 Switch User Authentication HP Switch SSH Server 1 Switch to Client SSH authentication 2 Client t...

Page 365: ...te key generated by an SSH client applica tion is typically stored in a file on the client device and together with its public key counterpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Level Operator privile...

Page 366: ...entication page 8 1 then the client program must have the capability to generate or import keys Public Key Formats Any client application you use for client public key authentication with the switch must have the capability to export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Figure 8 3 Example of Public Key in PEM Encoded ASCII Format...

Page 367: ... another SSH application b Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public key file to the switch The client public key file can hold up to 100 client keys This topic is covered under To Create a Client Public Key Text File on page 8 26 Switch Access Level Primary SSH Authentication Authenticate SwitchPublicKey to SSH Clients A...

Page 368: ...se In all cases the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none If the primary option is local the secondary option must be none Option B Primary Client public key authentication login public key page 8 25 Secondary none Note that ...

Page 369: ...tch s flash memory and are not affected by reboots or the erase startup config command Once you generate a key pair on the switch you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow se...

Page 370: ...ts keysize 8 10 ip ssh 8 17 cipher cipher type 8 17 filetransfer 8 17 ip version 8 17 mac 8 18 port 1 65535 default 8 16 timeout 5 120 8 16 listen oobm data both 8 18 aaa authentication ssh login local tacacs radius public key 8 20 8 31 local none 8 20 enable tacacs radius local 8 20 local none 8 20 copy tftp pub key file tftp server IP public key file append manager operator oobm 8 28 clear crypt...

Page 371: ...ssion key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch The host key pair is stored in the switch s flash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the copy sftp ssh client known hosts user username username hostname IPv4 IPv...

Page 372: ... pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations you have set up for SSH access to the switch using the earlier pair Removing zeroing the switch s public private key pair renders the switch unable to engage in SSH operation and automatically disables IP SSH on the switch To verify whether SSH is enabled execute show ip ssh...

Page 373: ...ee Table 8 2 zeroize ssh cert autorun rsa Erases the switch s public private key pair and dis ables SSH operation show crypto host public key Displays switch s public key Displays the version 2 views of the key See SSH Client Public Key Authentication on page 2 21 in this guide for information about public keys saved in a configuration file babble Displays hashes of the switch s public key in phon...

Page 374: ...he keysize parameter and has the values shown in Table 8 2 The default value is used if keysize is not specified HP Switch config crypto key generate ssh rsa Installing new key pair If the key entropy cache is depleted this could take up to a minute HP Switch config show crypto host public key SSH host public key ssh rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNwBMXZ9vYG YxtV KQeQQ R8RKx47lxs14jPImBoV qUmK...

Page 375: ...uch as HyperTerminal to display the switch s public key with the show crypto host public key command 2 Bring up the SSH client s known host file in a text editor such as Notepad as straight ASCII text and copy the switch s public key into the file 3 Ensure that there are no changes or breaks in the text string A public key must be an unbroken ASCII string Line breaks are not allowed Changes in the...

Page 376: ...le in the ASCII format This method is tedious and error prone due to the length of the keys See figure 8 7 on page 8 13 Phonetic hash Outputs the key as a relatively short series of alpha betic character groups Requires a client ability to convert the key to this format Hexadecimal hash Outputs the key as a relatively short series of hexadecimal numbers Requires a parallel client ability Forexampl...

Page 377: ...ents Note Before enabling SSH on the switch you must generate the switch s public private key pair If you have not already done so refer to 2 Generating the Switch s Public and Private Key Pair on page 8 9 When configured for SSH the switch uses its host public key to authenticate itself to SSH clients If you also want SSH clients to authenticate themselves to the switch you must configure SSH on ...

Page 378: ...ch s public key and copying the key from the display into a file This requires a knowledge of where the client stores public keys plus the knowledge of what key editing and file format might be required by the client application However if the first contact attempt between a client and the switch does not pose a security problem this is unnecessary To enable SSH on the switch 1 Generate a public p...

Page 379: ...Default All cipher types are available Use the no form of the command to disable a cipher type filetransfer Enable disable secure file transfer capability SCP and SFTP secure file transfer will not function unless SSH is also enabled ip version 4 6 4or6 Select the IP mode to run in The mode ip version 4 only accepts connections from IPv4 clients The mode ip version 6 only accepts connections from ...

Page 380: ...negotiation and authentication Default 120 seconds listen oobm data both The listen parameter is available only on switches that have a separate out of band management port Values for this parameter are oobm inbound SSH access is enabled only on the out of band management port data inbound SSH access is enabled only on the data ports both inbound SSH access is enabled on both the out of band manag...

Page 381: ... unsure of the security this provides you may want to disable web based and or Telnet access no web management and no telnet If you need to increase SNMP security you should use SNMP version 3 only If you need to increase the security of your web interface see the section on SSL Another security measure is to use the Authorized IP Managers feature described in the switch s Management and Configura...

Page 382: ...switch s configuration Also if you configure only an Operator password entering the Operator password through telnet web ssh or serial port access enables full manager privileges See 1 Assigning a Local Login Operator and Enable Manager Password on page 8 9 Option A Configuring SSH Access for Password Only SSH Authentication When configured with this option the switch uses its pub lic key to authe...

Page 383: ... public key file into a TFTP or SFTP server accessible to the switch and download the file to the switch For more on these topics refer to Further Information on SSH Client Public Key Authentication on page 8 25 With steps 1 3 above completed and SSH properly configured on the switch if an SSH client contacts the switch login authentication automatically occurs first using the switch and client pu...

Page 384: ...up this operation you would configure the switch in a manner similar to the following Syntax aaa authentication ssh enable local tacacs radius local none Configures a password method for the primary and second ary enable Manager access If you do not specify an optional secondary method it defaults to none If the primary access method is local you can only specify none for a secondary access method...

Page 385: ... HP Switch config aaa authentication ssh login public key none HP Switch config aaa authentication ssh enable tacacs local HP Switch config coy tftp pub key file 10 33 18 117 HP Switch config write memory ConfiguresManageruser name and password Configures the switch to allow SSH access only for a client whose public key matchesoneofthe keys in the public key file Configures the primary and seconda...

Page 386: ... Auth ChapRadius radius Authorized MAC Auth ChapRadius radius None Enable Enable Enable Access Task Primary Server Group Secondary Console Local None Telnet Local None Webui Local None SSH Tacacs Local HP Switch config show crypto client public key 0 Maden name 1024 bit rsa Local_cryto Local crypto Thu Nov 07 2009 21 25 42 ssh rsa AAAAB3NzaClyc2EAAAADAQABAAAAgQcz9oNfqxMHUFEC6frSu1Sa4Uh1EFznFhQqmgP...

Page 387: ... That is if you use this feature only the clients whose public keys are in the client public key file you store on the switch will have SSH access to the switch over the network If you do not allow secondary SSH login Operator access via local password then the switch will refuse other SSH clients SSH clients that support client public key authentication normally provide a utility to generate a ke...

Page 388: ...h version of the data from step 6 and compares it to the client s hash version If they match then the client is authenticated Otherwise the client is denied access Using client public key authentication requires these steps 1 Generate a public private key pair for each client you want to have SSH access to the switch This can be a separate key for each client or the same key copied to several clie...

Page 389: ...ezm5jFDhtF2EuubuB9adA43hggmKqciZZ8EfiOmKE9QwQCWLw2vUnXLhfFhxYwo7CoTir4yJA 1ITSYFTrDd0G pD67VfToz9DeHO163Yl9ukQQNXGES0LRK 8I1SZO33smith support cairns com Comment Comment Public Key Property Supported Value Comments Key Format ASCII See figure 8 7 on page 8 13 The key must be one unbroken ASCII string If you add more than one client public key to a file terminate each key except the last one with a...

Page 390: ...p to ten stored in a single text file or individually on a TFTP server to which the switch has access Terminate all client public keys in the file except the last one with a CR LF Note on Public Keys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key Although you can manually add or edit any comments the client application a...

Page 391: ...at do not have a separate out of band management port Refer to Appendix I Net work Out of Band Management in the Management and Configuration Guide for more information on out of band management show crypto client public key manager operator keylist str babble fingerprint Displays the client public key s in the switch s current client public key file See SSH Client Public Key Authentication on pag...

Page 392: ...rypto client public key 3 Deletes the entry with an index of 3 from the client public key file on the switch Enabling Client Public Key Authentication After you TFTP a client public key file into the switch described above you can configure the switch to allow the following If an SSH client s public key matches the switch s client public key file allow that client access to the switch If there is ...

Page 393: ...rom the switch with the copy command The SFTP server can be another switch or a workstation server with a running SSH server that supports SFTP Each switch with the SSH Client feature will have a known hosts file that can contain the public key from switches and servers that have been determined to be genuine New public keys can be added to the known hosts file when new SSH servers are contacted u...

Page 394: ...thentication Method publickey if a private key has been loaded onto the switch Authentication method password Syntax ssh user username username hostname IPv4 IPv6 port 1 65535 Enables an SSH client to open a secure session to an HP switch Opening secure sessions to devices other than HP switches is not supported user username username Optional the username on thedestination remote system Usernames...

Page 395: ...ting the manager is allowed on a switch The copy command allows you to copy the client key files using sftp tftp and usb or xmodem allowing encryption and authentication through SSH There is no way to generate the private key on the switch it must be copied onto the switch To load the client s private key onto the switch use one of these commands Syntax copy sftp ssh client key user username usern...

Page 396: ...ore overwriting the exist ing file Warning The existing known hosts file will be overwritten continue y n IPv4 Specifies the SFTP or TFTP server s IPv4 address IPv6 Specifies the SFTP or TFTP server s IPv6 address private key filename The remote filename containing the key port tcp port num TCP port of the SSH server on the remote system Syntax copy sftp ssh client known hosts user username userna...

Page 397: ...wn hosts file Default Replace the existing known hosts file Syntax copy ssh client known hosts sftp user username username hostname IPv4 IPv6 filename copy ssh client known hosts tftp hostname IPv4 IPv6 filename copy ssh client known hosts filename usb copy ssh client known hosts xmodem Copies the SSH client known hosts file to another location ssh client known hosts The known hosts file user user...

Page 398: ...y sftp user username username hostname IPv4 IPv6 filename copy ssh server pub key tftp hostname IPv4 IPv6 filename copy ssh server pub key usb copy ssh server pub key xmodem Copies the switch s SSH server public key to a server or other media user username username Optional there must be configured usernames for Operator and Manager If no username is specified the client s current username is used...

Page 399: ...prompted with a message Warning The SSH client known hosts file will be deleted continue y n Displaying Open Sessions To view all open sessions including console telnet and ssh enter the com mand show session list Syntax crypto key zeroize ssh client known hosts Deletes the SSH client known hosts file Syntax show session list Displays the active incoming and outgoing sessions ...

Page 400: ...ample of Open Sessions Listing HP Switch config show session list Session Information Source IP Selection Outgoing Interface Session 1 Privilege Superuser From Console To Session 2 Privilege Manager From 172 22 16 3 To 10 1 248 198 Session 3 Privilege Manager From 10 1 248 179 To ...

Page 401: ...fault or select another port number See Note on Port Number on page 8 19 Client public key file corrupt or not found Use copy tftp pub key file ip addr filename to download new file The client key does not exist in the switch Use copy tftp to download the key from a TFTP server Download failed overlength key in key file Download failed too many keys in key file Download failed one or more keys is ...

Page 402: ...t are included in the event log message Debug Logging To add ssh messages to the debug log output enter this command HP Switch debug ssh LOGLEVEL where LOGLEVEL is one of the following in order of increasing verbosity fatal error info verbose debug debug2 debug3 Generating new RSA host key If the cache is depleted this could take up to two minutes After you execute the generate ssh dsa rsa command...

Page 403: ...SSL in the switches covered in this guide is based on the OpenSSL software toolkit For more information on OpenSSL visit www openssl com Server Certificate authentication with User Password Authentication This option is a subset of full certificate authentication of the user and host It occurs only if the switch has SSL enabled As in figure 9 1 the switch authenticates itself to SSL enabled web br...

Page 404: ...168 bit 112 Effective DES 56 bit RC4 40 bit 128 bit Note HP Switches use RSA public key algorithms and Diffie Hellman and all references to a key mean keys generated using these algorithms unless otherwise noted HP Switch SSL Server SSL Client Browser 1 Switch to Client SSL Cert 2 User to Switch login password and enable password authentication options Local TACACS RADIUS ...

Page 405: ...d Certificate A certificate verified by a third party certif icate authority CA Authenticity of CA Signed certificates can be verified by an audit trail leading to a trusted root certificate Root Certificate A trusted certificateusedby certificate authorities to sign certificates CA Signed Certificates and usedlater on to verify that authenticity of those signed certificates Trusted certificates a...

Page 406: ... browser Note The latest versions of Microsoft Internet Explorer and Netscape web browser support SSL and TLS functionality See browser documentation for additional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 9 6 2 Generate a host certificate on the switch page 9 6 i Generate certificate key pair ii Generate host certificate You need to do ...

Page 407: ...elling reason Otherwise you will have to re introduce the switch s certificate on all manage ment stations clients you previously set up for SSL access to the switch In some situations this can temporarily allow security breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config c...

Page 408: ...asic Operation Guide for your switch 2 Generating the Switch s Server Host Certificate You must generate a server certificate on the switch before enabling SSL The switch uses this server certificate along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch The session key pair mentioned above is not vis...

Page 409: ...oot CA certificate and can be verified unequivocally Note There is usually a fee associated with receiving a verified certificate and the valid dates are limited by the root certificate authority issuing the certificate When you generate a certificate key pair and or certificate on the switch the switch places the key pair and or certificate in flash memory and not in running config Also the switc...

Page 410: ...to host cert generate self signed Arg List command Note When generating a self signed host certificate on the CLI if there is not certificate key generated this command will fail Comments on Certificate Fields There are a number arguments used in the generation of a server certificate table 9 1 Certificate Field Descriptions describes these arguments Syntax crypto key generate cert rsa bits 1024 2...

Page 411: ...een updates of passwords and keys Common name This should be the IP address or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switch Organization This is the name of the entity e g company where the switch is in service Organizational Unit This is the name of the sub entity e g department whe...

Page 412: ...for SSL Operation CLI Command to view host certificates To view the current host certificate from the CLI you use the show crypto host cert command For example to display the new server host certificate Syntax show crypto host cert Displays switch s host certificate ...

Page 413: ...e1 aa 7d 2c 2b b7 6c 94 72 3e 23 2f b7 1f ba 04 28 c0 a2 15 76 d3 ce b7 57 dc 34 8a 21 26 6e a6 e9 0c 3f 8d 1b 6b fc a4 7d 8c ce 4d d8 87 0d 4d ff 86 b9 d5 36 70 32 a4 58 a5 29 7a f6 48 20 0f 54 86 34 99 7f bb c1 f9 ea 60 74 2f 36 2a ce a6 b0 bc 4f 2f 01 02 dc 4a f9 43 03 bb f3 b7 cf 09 69 b6 ed 0a d8 30 2a f5 44 39 c4 59 65 3e 1f Exponent 65537 0x10001 Signature Algorithm sha1withRSAEncryption 2b...

Page 414: ...ur switch To generate a self signed host certificate from the WebAgent i In the WebAgent navigation pane click on Security ii Click on SSL iii In the Web Management box enable SSL if it is not already checked iv Complete the fields in the SSL Certificate box and click on Create request Note When generating a self signed host certificate if no key is present and the current option is selected in th...

Page 415: ...submission to the certificate authority The second phase is the actual submission process that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response the usable server host certificate The third phase is the download phase consisting of pasting to the switch web server the certificate response which is then...

Page 416: ... SSL Operation iv In the SSL Certificate box fill out the fields and select Create request Figure 9 5 Example of CA Certificate Generation via SSL WebAgent Screen To access the online help for SSL certificate generation click on in the upper right corner of the screen ...

Page 417: ...he option of acceptingorrefusing IfaCA signedcertificateisusedontheswitch forwhich a root certificate exists on the client browser side then the browser will NOT prompt the user to ensure the validity of the certificate The browser will be able to verify the certificate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequiv...

Page 418: ...nt ssl Zeroize the switch s host certificate or certificate key page 9 7 Using the WebAgent to Enable SSL To enable SSL on the switch i In the navigation pane click on Security ii Click on SSL iii Click on the Change button iv Check the SSL Enable box to enable SSL v Enter the TCP port you desire to connect on It is recommended you use the default IP port number of 443 vi Click on Save To disable ...

Page 419: ...ches are 49 80 1506 and 1513 Caution SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides youmaywanttodisableTelnetaccess notelnet IfyouneedtoincreaseSNMP security use SNMP version 3 only for SNMP access Another security measur...

Page 420: ...he CLI or WebAgent You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the WebAgent on page 9 12 You may be using a reserved TCP port Refer to Note on Port Number on page 9 17 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior on page 9 15 Your browser may not suppor...

Page 421: ... simultaneousoperationofstaticallyconfiguredIPv4andIPv6ACLs is supported in these switches as well as dynamic RADIUS assigned ACLs capable of filtering both IPv4 and IPv6 traffic from authenticated clients However IPv4 and IPv6 ACEs cannot be combined in the same static ACL IPv4 and IPv6 static ACLs do not filter each other s traffic In this chapter unless otherwise noted The term ACL refers to st...

Page 422: ...Eliminates unwanted traffic in a path by filtering IPv4 packets where they enter or leave the switch on specific VLAN interfaces IPv4 ACLs can filter traffic to or from a host a group of hosts or entire subnets Notes IPv4 ACLs can enhance network security by blocking selected traffic and can serve as part of your network security program However because ACLs do not provide user or device authentic...

Page 423: ...is enabled Refer to Notes on IPv4 Routing on page 10 24 VLAN ACL VACL A VACL is an ACL configured on a VLAN to filter traffic entering the switch on that VLAN interface and having a destination on the same VLAN Static Port ACL A static port ACL is an ACL configured on a port to filter traffic entering the switch on that port regardless of whether the traffic is routed switched or addressed to a de...

Page 424: ... RADIUS server refer to the chapter titled Configuring RADIUS Server Support for Switch Services Note This chapter describes the IPv4 ACL applications you can statically configure on the switch For information on static IPv6 ACL applications refer to the chapter titled IPv6 Access Control Lists ACLs in the latest IPv6 Configu ration Guide for your switch ...

Page 425: ... Standard ACL HP Switch config ip access list standard name str 1 99 HP Switch config std nacl no 1 2147483647 10 90 Resequence the ACEs in a Standard ACL HP Switch config ip access list resequence name str 1 99 1 2147483647 1 2147483646 10 91 Enter or Remove a Remark from a Standard ACL HP Switch config ip access list standard name str 1 99 HP Switch config ext nacl remark remark str no 1 2147483...

Page 426: ...ded Numbered ACL or Add an ACE to the End of an Existing Numbered ACL HP Switch config access list 100 199 deny permit ip options tcp udp options igmp options icmp options precedence priority tos tos setting log 2 Note Uses the same IP TCP UDP IGMP and ICMP options as shown above for Create an Extended Named ACL 10 74 Insert an ACE by AssigningaSequence Number HP Switch config ip access list exten...

Page 427: ... access list 100 199 10 85 Action Command s Page Enable or Disable an RACL HP Switch config no vlan vid ip access group identifier in out 10 81 Enable or Disable a VACL HP Switch config no vlan vid ip access group identifier vlan Enable or Disable a Static Port ACL HP Switch config no interface port list Trkx access group identifier in HP Switch eth port list Trkx no ip access group identifier in ...

Page 428: ...t consisting of one or more explicitly configured Access Control Entries ACEs and terminating with an implicit deny ACE ACL types include standard and extended See also Standard ACL and Extended ACL To filter IPv4 traffic apply either type in any of the following ways RACL an ACL assigned to filter routed traffic entering or leaving the switch on a VLAN Separate assignments are required for inboun...

Page 429: ...ination intended by the packet s originator In an extended ACE this is the second of two addresses required by the ACE to determine whether there is a match between a packet and the ACE See also SA Deny An ACE configured with this action causes the switch to drop a packet for which there is a match within an applicable ACL Dynamic Port ACL See RADIUS Assigned ACL Extended ACL This type of IPv4 Acc...

Page 430: ...enerated by the switch routing must be con figured on the switch to enable support for RACL applications VLAN ACL VACL Inbound traffic is a packet entering the switch on a VLAN interface or a subnet in a multinetted VLAN Static Port ACL Inbound traffic is a packet entering the switch on the port RADIUS Assigned ACL Where a RADIUS server has authenticated a client and assigned an ACL to the port to...

Page 431: ...ilter inbound IP traffic from a client authenticated by the server for that port A RADIUS assigned ACL can be configured on a RADIUS server to filter inbound IPv4 and IPv6 traffic When the client session ends the RADIUS assigned ACL for that client is removed from the port See also Implicit Deny remark str The term used in ACL syntax statements to represent the variable remark string a set of alph...

Page 432: ... require an alphanumeric name or an identification number ID in the range of 1 99 See also identifier on page 10 9 Static Port ACL An ACL statically configured on a specific port group of ports or trunk A static port ACL filters all incoming IPv4 traffic on the port regardless of whether it is switched or routed VACL See VLAN ACL VLAN ACL VACL An ACL applied to all IPv4 traffic entering the switch...

Page 433: ...fy a single host a finite group of hosts or any host Extended ACL Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient traffic selection criteria needed on an interface Extended ACLs allow use of the following criteria source and destination IPv4 address combinations IPv4 protocol options Extended named ACLs also offer an option to permit or deny IPv4 conn...

Page 434: ... limiting feature that does not use ACLs If ACL mirroring is already configured in a switch running software version K 13 xx then downloading and booting from release K 14 01 or greater automatically modifies the depre cated configuration to conform to the classifier based rate limiting supported in release K 14 01 or greater For more information on this topic refer to the chapter titled Classifie...

Page 435: ... the same subnet from source to destination switched traffic unless the destination address DA or source address SA is on the switch itself VLAN 1 10 28 10 1 One Subnet VLAN 3 10 28 40 1 10 28 30 1 Multiple Subnets VLAN 2 10 28 20 1 One Subnet Switch with IPv4 Routing Enabled 10 28 10 5 10 28 20 99 10 28 30 33 10 28 40 17 Because of multinetting traffic routed from the 10 28 40 0 network to the 10...

Page 436: ...d to the VLAN or to ports in the VLAN Static Port ACL and RADIUS Assigned ACL Applications An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port regardless of whether the traffic is switched or routed VLAN 1 10 28 10 1 One Subnet VLAN 2 with VACL One Subnet 10 28 20 1 VLAN 3 Multiple Subnets 10 28 40 1 10 28 30 1 Switch with IPv4 Routing Enabled 10 28 10 5 10 28 20 99 10 ...

Page 437: ... to the port the IPv4 and IPv6 traffic inbound on the port from client A is filtered See also Operating Notes on page 10 18 Effect of RADIUS assigned ACLs When Multiple Clients Are Using the Same Port Some network configurations may allow multiple clients to authenticate through a single port where a RADIUS server assigns a separate RADIUS assigned ACL in response to each client s authentication o...

Page 438: ...on attempt This option is recommended for applica tions where only one client at a time can connect to the port and not recommended for instances where multiple clients may access the same port at the same time For more information refer to 802 1X Port Based Access Control in the chapter titled Configuring Port Based and User Based Access Control 802 1X in the latest Access Security Guide for your...

Page 439: ...f the following Table 10 1 Per Interface Multiple ACL Assignments ACL Type ACL Application Dynamic RADIUS Assigned ACLs one port based ACL for first client to authenticate on the port or up to 32 user based ACLs one per authenticated client Note If one or more user based dynamic ACLs are assigned to a port then the only traffic allowed inbound on the port is from authenticated clients IPv6 Static ...

Page 440: ...unning software version K 13 xx then downloading and booting from release K 14 01 or greater automatically mod ifies the deprecated configuration to conform to the classifier based mirroring and rate limitingsupportedinrelease K 14 01orgreater Formoreinformation on this topic refer to the chapter titled Classifier Based Software Configura tion in the latest Advanced Traffic Management Guide for yo...

Page 441: ...ffic regardless of whether any other VACLs permit the traffic Figure 10 4 Example of Order of Application for Multiple ACLs on an Interface Exception for Connection Rate Filtering Connection rate filtering can be configured along with one or more other ACL applications on the same interface In this case a connection rate match for a filter action is carried out according to the configured policy r...

Page 442: ...nge of hosts or all hosts Every ACL populated with one or more explicit ACEs includes an Implicit Deny as the last entry in the list The switchapplies this action to any packets that do not match other criteria in the ACL For standard ACLs the Implicit Deny is deny any For extended ACLs it is deny ip any any In any ACL you can apply an ACL log function to ACEs that have an explicit deny action The...

Page 443: ...should be allowed All UDP traffic or UDP traffic for a specific UDP port All ICMP traffic or ICMP traffic of a specific type and code All IGMP traffic or IGMP traffic of a specific type Any of the above with specific precedence and or ToS settings 3 Design the ACLs for the control points interfaces you have selected Where you are using explicit deny ACEs you can optionally use the VACL logging fea...

Page 444: ...ed Similarly to activate a RACLto screenrouted outboundIPv4traffic assigntheRACLto the statically configured VLAN on which the traffic exits from the switch A RACL config ured to screen inbound IPv4 traffic with a destination address on the switch itself does not require routing to be enabled ACLs do not screen outbound IPv4 traffic generated by the switch itself Refer to ACL Screening of IPv4 Tra...

Page 445: ...terface ACL Application Application Point Filter Action Port Static Port ACL switchconfigured inbound on the switch port inbound IPv4 traffic RADIUS Assigned ACL1 inbound on the switch port used by authenticated client inbound IPv4 and or IPv6 traffic from the authenticated client VLAN VACL entering the switch on the VLAN inbound IPv4 traffic RACL2 entering the switch on the VLAN routed IPv4 traff...

Page 446: ...icit deny any Example Suppose the ACL in figure 10 5 is assigned to filter the IPv4 traffic from an authenticated client on a given port in the switch Figure 10 5 Example of Sequential Comparison As shown above the ACL tries to apply the first ACE in the list If there is not a match it tries the second ACE and so on When a match is found the ACL invokes the configured action for that entry permit ...

Page 447: ...orm action permit or deny End End Test the packet against criteria in second ACE Is there a match Test packet against criteria in Nth ACE Is there a match No Yes End Perform action permit or deny 1 If a match is not found with the first ACE in an ACL the switchproceedstothenext ACE and so on 2 If a match with an explicit ACEis subsequently found the packet is either permit ted forwarded or denied ...

Page 448: ...Implicit Deny exit HP Switch config vlan 12 ip access group Test 02 in 4 2 Denies Telnet trafficfrom source address 10 11 11 101 Packets matching this criterion are dropped and are not compared to later criteria in the list Packets not matching this criterion are compared to the next entry in the list 1 Permits IPv4 traffic from source address 10 11 11 42 Packets matching this criterion are permit...

Page 449: ...n Before creating and implementing ACLs you need to define the policies you want your ACLs to enforce and understand how the ACL assignments will impact your network users Note All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured for inbound traffic on that interface For this reason an inbound IPv4 packet will be denied dropped if it has a match with either ...

Page 450: ...the core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge of the network The earlier in the network path you can block unwanted traffic the greater the benefit for network performance From where is the traffic coming The source and destination of trafficyouwanttofilterdeterminestheACLapplicationtouse RACL VACL static port ACL and RADIUS assigned ACL What tra...

Page 451: ... by blocking selected traffic and can serve as one aspect of maintaining network security However because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IP packet transmissions they should not be relied upon for a complete security solution Note Static IPv4 ACLs for the switches covered by this guide do not filter non IPv4 traffic suc...

Page 452: ...ch in an ACL append an ACE that enables Permit Any forwarding as the last ACE in the ACL This ensures that no packets reach the Implicit Deny case for that ACL Generally you should list ACEs from the most specific individual hosts tothe mostgeneral subnetsorgroupsofsubnets unlessdoing so permits traffic that you want dropped For example an ACE allowing a small group of workstations to use a specia...

Page 453: ...ings This means that the ACL denies any IPv4 packet it encounters that does not have a match with an entry in the ACL Thus if you want an ACL to permit any packets that you have not expressly denied you must enter a permit any or permit ip any any as the last ACE in an ACL Because for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match any packet that reaches t...

Page 454: ...ysical Ports in a Static VLAN A VACL or RACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN including ports that have dynam ically joined the VLAN RACLs Screen Routed IPv4 Traffic Entering or Leaving the Switch on a Given VLAN Interface This means that the following traffic is subject to ACL filtering IPv4 traffic arriving on the switch through one VLAN and l...

Page 455: ... a network mask define the part of an IPv4 address to use for the network number and the bits set to 0 in the mask define the part of the address to use for the host number In an ACL IPv4 addresses and masks provide criteria for determining whether to deny or permit a packet or to pass it to the next ACE in the list If there is a match the configured deny or permit action occurs If there is not a ...

Page 456: ...y match is an IPv4 address identical to the host address specified in the ACE Depending on your network a single ACE that allows a match with more than one source or destination IPv4 address may allow a match with multiple subnets For example in a network with a prefix of 31 30 240 and a subnet mask of 255 255 240 0 the leftmost 20 bits applying an ACL mask of 0 0 31 255 causes the subnet mask and...

Page 457: ...This policy states that every bit in every octet of a packet s SA must be the same as the corresponding bit in the SA defined in the ACE A group of IPv4 addresses fits the matching criteria In this case you provide both the address and the mask For example access list 1 permit 10 28 32 1 0 0 0 31 This policy states that In the first three octets of a packet s SA every bit must be set the same as t...

Page 458: ... s SA 0 0 0 1 1 0 1 0 1 0 1 The shaded area indicates bits in the packet that must exactly match the bits in the source address in the ACE Wherever the mask bits are ones wildcards the corresponding address bits in the packet can be any value and where the mask bits are zeros the corresponding address bits in the packet must be the same as those in the ACE Note This example covers only one octet o...

Page 459: ...ACE Mask Policy for a Match Between a Packet and the ACE Allowed Addresses A 10 38 252 195 0 0 0 255 Exact match in first three octets only 10 38 252 0 255 See row A in table 10 4 below B 10 38 252 195 0 0 7 255 Exact match in the first two octetsandtheleftmostfivebits 248 of the third octet 10 38 248 255 0 255 In the third octet only the rightmost three bits are wildcard bits The leftmost five bi...

Page 460: ...ing the switch on a given VLAN Static Port ACL any IPv4 traffic entering the switch on a given port port list or static trunk 3 If the ACL is applied as an RACL enable IPv4 routing Except for instances where the switch is the traffic source or destination assigned RACLs filter IPv4 traffic only when routing is enabled on the switch Caution Regarding the Use of IPv4 Source Routing IPv4 source routi...

Page 461: ...stablished traffic based on whether the initial request should be allowed Any UDP traffic only or UDP traffic for a specific UDP port Any ICMP traffic only or ICMP traffic of a specific type and code Any IGMP traffic only or IGMP traffic of a specific type Any of the above with specific precedence and or ToS settings For an extended ACL ID use either a unique number in the range of 100 199 or a un...

Page 462: ...mple of the General Structure for a Standard ACL Element Notes Type Standard or Extended Identifier Alphanumeric Up to 64 Characters Including Spaces Numeric 1 99 Standard or 100 199 Extended Remark Allowsupto100alphanumericcharacters including blank spaces If any spaces are used the remark must be enclosed in a pair of single or double quotes AremarkisassociatedwithaparticularACE andwillhavethesa...

Page 463: ...ed ACL include A permit deny statement Source and destination IPv4 addressing Choice of IPv4 criteria including optional precedence and ToS Optional ACL log command for deny entries Optional remark statements HP Switch Config show running ip access list standard Sample List 10 deny 10 28 150 77 0 0 0 0 log 20 permit 10 28 150 1 0 0 0 255 exit ACL List Heading with List Type and Identifier Name or ...

Page 464: ...mit deny ipv4 protocol type SA src acl mask DA dest acl mask permit deny tcp SA operator value DA operator value established ack fin rst syn permit deny udp SA src acl mask operator port id DA dest acl mask operator port id permit deny icmp SA src acl mask DA dest acl mask icmp type permit deny igmp SA SA mask DA dest acl mask igmp type precedence priority tos tos setting log Allowed only with den...

Page 465: ...Sample List 1 10 permit ip 10 38 130 55 0 0 0 0 10 38 130 240 0 0 0 0 20 permit tcp 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 eq 23 30 remark ALLOWS HTTP FROM SINGLE HOST 30 permit tcp 10 38 131 14 0 0 0 0 eq 80 0 0 0 0 255 255 255 255 eq 3871 40 remark DENIES HTTP FROM ANY TO ANY 40 deny tcp 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 eq 80 log 50 deny udp 10 42 120 19 0 0 0 0 eq 69 10 ...

Page 466: ...destination address will be denied dropped Since in this example the intent is to block TCP traffic from 10 28 18 100 to any destination except the destination stated in the ACE at line 30 this ACE must follow the ACE at line 30 If their relative positions were exchanged all TCP traffic from 10 28 18 100 would be dropped including the traffic for the 10 28 18 1 destination 50 Any packet from any I...

Page 467: ... of the monitored resources described in the appendix titled Monitored Resources in the Management and Configuration Guide for your switch You Can Assign an ACL Name or Number to an Interface Even if the ACL Does Not Exist in the Switch s Configuration In this case if you subsequently create an ACL with that name or number the switch automatically applies each ACE as soon as you enter it in the ru...

Page 468: ... end of a list named List 1 to allow traffic from the device at 10 10 10 100 HP Switch config ip access list standard List 1 HP Switch config std nacl permit host 10 10 10 100 Insert an ACE anywhere in a named ACL by specifying a sequence number For example if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named List 2 to deny IPv4 traffic from the device at 1...

Page 469: ...ot allowed in the same ACL Attempting to enter a duplicate ACE displays the Duplicate access control entry message Using CIDR Notation To Enter the IPv4 ACL Mask You can use CIDR Classless Inter Domain Routing notation to enter ACL masks The switch interprets the bits specified with CIDR notation as the address bits in an ACL and the corresponding address bits in a packet that must match The switc...

Page 470: ... from an ACL HP Switch config ip access list standard name str 1 99 HP Switch config std nacl no 1 2147483647 10 90 Resequence the ACEs in an ACL HP Switch config ip access list resequence name str 1 99 1 2147483647 1 2147483646 10 91 Enter or Remove a Remark from an ACL HP Switch config ip access list standard name str 1 99 HP Switch config ext nacl remark remark str no 1 2147483647 remark For nu...

Page 471: ...creating a named ACL differs from the command syntax for creating a numbered ACL For example the first pair of entries below illustrate how to create or enter a named standard ACL and enter an ACE The next entry illustrates creating a numbered standard ACL with the same ACE HP Switch config ip access list standard Test List HP Switch config std nacl permit host 10 10 10 147 HP Switch config access...

Page 472: ... 74 applying or removing an ACL on an interface 10 81 deleting an ACL 10 85 editing an ACL 10 86 sequence numbering in ACLs 10 87 including remarks in an ACL 10 92 displaying ACL configuration data 10 97 creating or editing ACLs offline 10 107 enabling ACL Deny logging 10 112 Syntax ip access list standard name str Places the CLI in the Named ACL nacl context specified by the name str alphanumeric...

Page 473: ...ies or permits a packet matching the criteria in the ACE as described below any host SA SA mask SA mask length Defines the source IPv4 address SA a packet must carry for a match with the ACE any Allows IPv4 packets from any SA host SA Specifies only packets having SA as the source Use this criterion when you want to match the IPv4 packets from a single source address SA mask or SA mask length Spec...

Page 474: ...L logging is enabled on the switch Refer to Enable ACL Deny Logging on page 10 112 Use the debug command to direct ACL logging output to the current console session and or to a Syslog server Note that you must also use the logging ip addr command to specify the addresses of Syslog servers to which you want log messages sent See also Enable ACL Deny Logging on page 10 112 HP Switch config ip access...

Page 475: ...cess list Sample List Access Control Lists Name Sample List Type Standard Applied No SEQ Entry 10 Action permit IP 10 10 10 104 Mask 0 0 0 0 20 Action deny log IP 10 10 10 1 Mask 0 0 0 255 30 Action permit IP 0 0 0 0 Mask 255 255 255 255 Note that each ACE is automatically assigned a sequence number Topic Page configuring named standard ACLs 10 52 configuring named extended ACLs 10 61 configuring ...

Page 476: ...n be renumbered using resequence page 10 91 Note To insert a new ACE between two existing ACEs in a standard numbered ACL a Use ip access list extended 1 99 to open the ACL as a named ACL b Enter the desired sequence number along with the ACE keywords and variables you want After a numbered ACL has been created it can be managed as either a named or numbered ACL Refer to the Numbered ACLs list ite...

Page 477: ...p of IPv4 addresses The mask format can be in either dotted decimal format or CIDR format number of significant bits Refer to Using CIDR Notation To Enter the IPv4 ACL Mask on page 10 49 SA Mask Application The mask is applied to the SA in the ACE to define which bits in a packet s SA must exactly match the SA configured in the ACL and which bits need not match Example 10 10 10 1 24 and 10 10 10 1...

Page 478: ...d Named ACL in Figure 10 14 HP Switch config access list 17 permit host 10 10 10 104 HP Switch config access list 17 deny 10 10 10 1 24 log HP Switch config access list 17 permit any HP Switch config show access list 17 Access Control Lists Name 17 Type Standard Applied No SEQ Entry 10 Action permit IP 10 10 10 104 Mask 0 0 0 0 20 Action deny log IP 10 10 10 1 Mask 0 0 0 255 30 Action permit IP 0 ...

Page 479: ...ny host DA DA mask length DA mask 1 0 255 0 255 icmp message 10 61 precedence priority tos tos setting log 2 10 61 Create an Extended Numbered ACL or Add an ACE to the End of an Existing Numbered ACL HP Switch config access list 100 199 deny permit ip options tcp udp options igmp options icmp options log 2 precedence priority tos tos setting Note Uses the same IPv4 TCP UDP IGMP and ICMP options as...

Page 480: ...uration For example configuring two ACLs results in an ACL total of two even if neither is assigned to an interface If you then assign a nonexistent ACL to an interface the new ACL total is three because the switch now has three unique ACL names in its configuration For more on ACL limits refer to Monitoring Shared Resources on page 10 129 Use Sequence Num ber To Delete an ACE HP Switch config ip ...

Page 481: ...xtended ACL 2 Enter the first ACE in a new extended ACL or append an ACE to the end of an existing extended ACL This section describes the commands for performing these steps For other ACL topics refer to the following Topic Page configuring named standard ACLs 10 52 configuring numbered standard ACLs 10 55 configuring numbered extended ACLs 10 74 applying or removing an ACL on an interface 10 81 ...

Page 482: ...nacl context specified by the name str alphanumeric identifier This enables entry of individual ACEs in the specified ACL If the ACL does not already exist this command creates it name str Specifies an alphanumeric identifier for the ACL Consists of an alphanumeric string of up to 64 case sensitive characters Including spaces in the string requires that you enclose the string in single or double q...

Page 483: ...utive sequence numbers in increments of 10 and can be renumbered using resequence page 10 91 Note To insert a new ACE between two existing ACEs in an extended named ACL precede deny or permit with an appro priate sequence number along with the ACE keywords and variables you want Refer to Inserting an ACE in an Exist ing ACL on page 10 88 For a match to occur a packet must have the source and desti...

Page 484: ...extended ACE It follows the protocol specifier and defines the source address SA a packet must carry for a match with the ACE any Allows IPv4 packets from any SA host SA Specifies only packets having a single address as the SA Use this criterion when you want to match only the IPv4 packets from a single SA SA mask or SA mask length Specifies packets received from an SA where the SA is either a sub...

Page 485: ...can be in either dotted decimal format or CIDR format number of significant bits Refer to Using CIDR Notation To Enter the IPv4 ACL Mask on page 10 49 DA Mask Application The mask is applied to the DA in the ACL to define which bits in a packet s DA must exactly match the DA configured in the ACL and which bits need not match See also the above example and note precedence 0 7 precedence name This ...

Page 486: ... or in the case of 0 2 4 and 8 as alphanumeric names 0 or normal 2 max reliability 4 max throughput 6 8 minimize delay 10 12 14 Note The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE log This option can be used after the DA to generate an Event Log message if The action is deny Not applicable to permit There is a match ACL logging is enabled ...

Page 487: ...ort established ack fin rst syn Syntax deny permit udp SA comparison operator udp src port DA comparison operator udp dest port In an extended ACL using either tcp or udp as the packet protocol type you can optionally use TCP or UDP source and or desti nation port numbers or ranges of numbers to further define the criteria for a match For example deny tcp host 10 20 10 17 eq 23 host 10 20 10 155 e...

Page 488: ...cket must be in the range start port nbr end port nbr Port Number or Well Known Port Name Use the TCP or UDP port number required by your appli cation The switch also accepts these well known TCP or UDP port names as an alternative to their port numbers TCP bgp dns ftp http imap4 ldap nntp pop2 pop3 smtp ssl telnet UDP bootpc bootps dns ntp radius radius old rip snmp snmp trap tftp To list the abo...

Page 489: ...device Simply applying a deny to inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked However by using the established option inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted but inbound Telnet traffic trying to estab lish a connection would be denied TCP Control Bits In ...

Page 490: ...ing icmp as the packet protocol type see above you can optionally specify an individual ICMP packet type or packet type code pair to further define the criteria for a match This option if used is entered immediately after the destination address DA entry The following example shows two ACEs entered in a Named ACL context permit icmp any any host unknown permit icmp any any 3 7 icmp type icmp code ...

Page 491: ... net prohibited option missing echo packet too big echo reply parameter problem general parameter problem port unreachable host isolated precedence unreachable host precedence unreachable protocol unreachable host redirect reassembly timeout host tos redirect redirect host tos unreachable router advertisement host unknown router solicitation host unreachable source quench information reply source ...

Page 492: ...In an extended ACL using igmp as the packet protocol type you can optionally specify an individual IGMP packet type to further define the criteria for a match This option if used is entered immediately after the destination addressing entry The following example shows an IGMP ACE entered in the Named ACL context HP Switch config ext nacl permit igmp any any host query igmp type The complete list o...

Page 493: ...k 10 10 10 0 VLAN 10 to 10 10 20 0 VLAN 20 and permit all other IPv4 traffic from any source to any destination See A in figure 10 18 below B Permit FTP traffic from 10 10 20 100 on VLAN 20 to 10 10 30 55 on VLAN 30 Deny FTP traffic from other hosts on network10 10 20 0 to any destination but permit all other IPv4 traffic Figure 10 18 Example of an Extended ACL VLAN 10 10 10 10 1 VLAN 20 10 10 20 ...

Page 494: ...ext nacl exit HP Switch config vlan 20 ip access group Extended List 02 in HP Switch config ip access list extended Extended List 01 HP Switch config ext nacl permit tcp host 10 10 10 44 host 10 10 20 78 eq telnet HP Switch config ext nacl deny ip 10 10 10 1 24 10 10 20 1 24 HP Switch config ext nacl permit ip any any HP Switch config ext nacl exit HP Switch config vlan 10 ip access group Extended...

Page 495: ... In the default configuration the ACEs in an ACL will automatically be assigned consecutive sequence numbers in increments of 10 and can be renumbered with resequence page 10 91 Note To insert a new ACE between two existing ACEs in an extended numbered ACL a Use ip access list extended 100 199 to open the ACL as a named ACL b Enter the desired sequence number along with the ACE statement you want ...

Page 496: ...ir corresponding protocol names refer to the IANA Protocol Number Assignment Services at www iana com Range 0 255 For TCP UDP ICMP and IGMP additional criteria can be specified as described later in this section any host SA SA mask length SA mask In an extended ACL this parameter defines the source address SA that a packet must carry in order to have a match with the ACE any Specifies all inbound ...

Page 497: ...described earlier and defines the destination address DA that a packet must carry in order to have a match with the ACE The options are the same as shown for SA any Allows routed IPv4 packets to any DA host DA Specifies only the packets having DA as the destination address Use this criterion when you want to match only the IPv4 packets for a single DA DA mask length or DA mask Specifies packets in...

Page 498: ... selection criteria config ured in the same ACE tos This option can be used after the DA to cause the ACE to match packets with the specified Type of Service ToS set ting ToS values can be entered as the following numeric settings or in the case of 0 2 4 and 8 as alphanumeric names 0 or normal 2 max reliability 4 max throughput 6 8 minimize delay 10 12 14 Note The ToS criteria in this section are ...

Page 499: ...That is an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE As an optional alterna tive the ACE can include the name of an ICMP packet type For a summary of the extended ACL syntax options refer to table on page 10 59 Syntax access list 100...

Page 500: ...an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE For a summary of the extended ACL syntax options refer to table on page 10 59 Syntax access list 100 199 deny permit igmp src ip dest ip igmp type The IGMP type criteria is identical to the criter...

Page 501: ... ip access group identifier in out where identifier either a ACL name or an ACL ID number Assigns an ACL to a VLAN as an RACL to filter routed IPv4 traffic entering or leaving the switch on that VLAN You can use either the global configuration level or the VLAN context level to assign or remove an RACL Note The switch allows you to assign a nonexistent ACL name or number to a VLAN In this case if ...

Page 502: ... Enables an RACL from the Global Configuration Level Enables an RACL from a VLAN Context Disables an RACL from the Global Configuration Level Disabling an RACL from a VLAN Context Syntax no vlan vid ip access group identifier vlan where identifier either a ACL name or an ACL ID number Assigns an ACL as a VACL to a VLAN to filter any IPv4 traffic entering the switch on that VLAN You can use either ...

Page 503: ...om the Global Configuration Level Enables a VACL from a VLAN Context Disables a VACL from the Global Configuration Level Disables a VACL from a VLAN Context Syntax no interface port list Trkx ip access group identifier in where identifier either a ACL name or an ACL ID number Assigns an ACL as a static port ACL to a port port list or static trunk to filter any IPv4 traffic entering the switch on t...

Page 504: ...fier based rate limiting supported in release K 14 01 or greater For more information on this topic refer to the chapter titled Classifier Based Software Configuration in the latest Advanced Traffic Management Guide for your switch HP Switch config interface b10 ip access group My List in HP Switch config interface b10 HP Switch eth b10 ip access group 155 in HP Switch eth b10 exit HP Switch confi...

Page 505: ...pty ACL to the interface Subsequently populating the empty ACL with explicit ACEs causes the switch to automatically activate the ACEs as they are created and to implement the implicit deny at the end of the ACL Deleting an ACL from the running configuration while the ACL is currently assigned on an interface results in an empty version of the ACL in the running con figuration and on the interface...

Page 506: ...ut specifying a sequence number the switch inserts the ACE as the last entry in the ACL When you enter a new ACE in a named ACL and include a sequence number the switch inserts the ACE according to the position of the sequence number in the current list of ACEs Numbered ACLs When using the access list 1 99 100 199 command to create or add ACEs to a numbered ACL each new ACE you enter is added to t...

Page 507: ...numbered in increments of 10 For example the following show run output lists three ACEs with default numbering in a list named My List Figure 10 23 Example of the Default Sequential Numbering for ACEs You can add an ACE to the end of a named or numbered ACL by using either access list for numbered ACLs or ip access list for named ACLs Figure 10 24 Examples of Adding an ACE to the end of Numbered o...

Page 508: ...dard My List HP Switch config std nacl permit any HP Switch config std nacl show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 20 permit 10 20 10 117 0 0 0 0 30 deny 10 20 10 1 0 0 0 255 40 permit 0 0 0 0 255 255 255 255 exit Syntax ip access list standard extended name str 1 99 100 199 1 2147483647 permit deny standard acl ip criteria log 1 2147483647 permit deny extended acl ...

Page 509: ...etween the ACEs numbered 10 and 20 in figure 10 25 requires a sequence number in the range of 11 19 for the new ACE Figure 10 26 Example of Inserting an ACE in an Existing ACL In the following example the first two ACEs entered become lines 10 and 20 in the list The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20 HP Switch config ip access list ...

Page 510: ...x ip access list standard extended name str 1 99 100 199 no seq The first command enters the Named ACL context for the specified ACL The no command deletes the ACE corresponding to the sequence number entered Range 1 2147483647 HP Switch config ip access list standard List 01 HP Switch config std nacl permit 10 10 10 1 24 HP Switch config std nacl deny 10 10 1 1 16 HP Switch config std nacl 15 per...

Page 511: ...g seq Specifies the sequence number for the first ACE in the list Default 10 Range 1 2147483647 interval Specifies the interval between sequence numbers for the ACEs in the list Default 10 Range 1 2147483647 HP Switch config show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 15 deny 10 10 10 1 0 0 0 255 20 permit 10 20 10 117 0 0 0 0 30 deny 10 20 10 1 0 0 0 255 40 permit 0 0 0...

Page 512: ...k remark str This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark The next command entry should be the ACE to which the remark belongs The new ACE will automatically be numbered with the same sequence number as was used for the preceding remark HP Switch config show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 15 d...

Page 513: ... 100 199 seq remark remark str no seq remark This syntax applies to both named and numbered ACLs With out an optional sequence number the remark is appended to the end of the list and automatically assigned a sequence number When entered with an optional sequence number the remark is inserted in the list according to the numeric prece dence of the sequence number The no form of the command deletes...

Page 514: ...ig std nacl remark HOST 10 20 10 34 HP Switch config std nacl permit host 10 20 10 34 HP Switch config std nacl show run hostname HP_switch ip access list standard My List 10 permit 10 10 10 15 0 0 0 0 20 deny 10 10 10 1 0 0 0 255 30 remark HOST 10 20 10 34 30 permit 10 20 10 34 0 0 0 0 exit The remark is assigned the same number that the immediately followingACE 30 inthisexample is assigned when ...

Page 515: ...ber and content of the ACE having a remark you want to remove 3 Delete the ACE 4 Using the same sequence number re enter the ACE Operating Notes for Remarks The resequence command ignores orphan remarks that do not have an ACE counterpart with the same sequence number For example if a remark numbered 55 exists in an ACE there is no ACE numbered 55 in the same ACL resequence is executed on an ACL t...

Page 516: ...0 1 24 HP Switch config std nacl remark Marketing HP Switch config std nacl remark Channel_Mktg HP Switch config std nacl show run ip access list standard Accounting 10 permit 10 10 10 115 0 0 0 0 20 deny 10 10 10 1 0 0 0 255 30 remark Channel_Mktg exit Where multiple remarks are sequentially entered for automatic inclusion at the end of an ACL each successive remark replacesthepreviousoneuntilan ...

Page 517: ... the ACLina list format similar to that used to display an ACL in the show running config output 10 103 show access list resources Displays information on the resources currently available in the switch Refer to the Monitoring Resources appendixinthelatestManagement and Configuration Guide for your switch show access list radius all port list Lists the RADIUS ACL s currently assigned for either al...

Page 518: ...d on the switch Term Meaning Type Shows whether the listed ACL is an IPv4 std ACL an IPv4 ext ACL or an IPv6 ACL Appl Shows whether the listed ACL has been applied to an interface yes no Name Shows the identifier name or number assigned to each ACL configured in theswitch HP Switch config show access list Access Control Lists Type Appl Name ext yes 101 std yes 55 ext yes Marketing ipv6 no Accounti...

Page 519: ...his command for input to an offline text file in which you can edit add or delete ACL commands Refer to Creating or Editing ACLs Offline on page 10 107 Thisinformationalsoappearsintheshowrunningdisplay Ifyouexecutedwrite memory after configuring an ACL it appears in the show config display Figure 10 33 shows the ACLs on a switch configured with two IPv6 ACLs named Accounting and List 01 Inbound an...

Page 520: ...fig show access list config ip access list extended 101 10 permit tcp 10 30 133 27 0 0 0 0 0 0 0 0 255 255 255 255 20 permit tcp 10 30 155 101 0 0 0 0 0 0 0 0 255 255 255 255 30 deny ip 10 30 133 1 0 0 0 0 0 0 0 0 255 255 255 255 log 40 deny ip 10 30 155 1 0 0 0 255 0 0 0 0 255 255 255 255 exit ipv6 access list Accounting 10 permit tcp 2001 db8 0 1af 10 14 128 0 eq 23 20 permit tcp 2001 db8 0 1af ...

Page 521: ...arious ports and trunks on the switch HP Switch config show access list vlan 20 Access Lists for VLAN 20 Inbound Access List Account 2 Type Extended Outbound Access List 101 Type Extended Ipv6 VACL Access List Blue Group VACL Access List None Connection Rate Filter Access List None An extended IPv4 ACL named Account 2 is assigned to filter routed IPv4 traffic entering the switch on VLAN 20 An exte...

Page 522: ...sts for Port B12 Inbound 101 Type Extended Inbound Ipv6 Accounting Access Lists for Port Trk2 Inbound Ipv6 Accounting Access Lists for Port Trk5 Inbound Marketing Type Extended An IPv6 ACL is filtering inbound traffic on port B1 Both an IPv4 ACL and an IPv6 ACL are filtering inbound IPv4 and IPv6 traffic respectively on port B12 An IPv6 ACL is filtering inbound IPv6 traffic on Trunk 2 Trk2 An IPv4...

Page 523: ...ng two ACLs in the switch Use show access list identifier to inspect a specific IPv6 or IPv4 ACL as follows Syntax show access list identifier config Display detailed information on the content of a specific ACL configured in the running config file Identifier Type Desired Action Accounting IPv6 Permit Telnet traffic from these two IPv6 addresses 2001 db8 0 1af 10 14 2001 db8 0 1af 10 24 Deny Teln...

Page 524: ...Dst IP Prefix Len 0 Src Port s Dst Port s eq 23 Proto TCP Option s Dscp 30 Action deny log Src IP 2001 db8 0 1af 10 Prefix Len 116 Dst IP Prefix Len 0 Src Port s Dst Port s Proto TCP Option s Dscp 40 Action permit Src IP 2001 db8 0 1af 10 Prefix Len 116 Dst IP Prefix Len 0 Src Port s Dst Port s Proto IPV6 Dscp IndicateswhethertheACL is applied to an interface TCP Source Port Source Address Protoco...

Page 525: ...shed TOS Precedence routine 20 Action deny log Src IP 10 30 133 1 Mask 0 0 0 255 Port s Dst IP 0 0 0 0 Mask 255 255 255 255 Port s Proto IP TOS Precedence 30 Action permit Src IP 0 0 0 0 Mask 255 255 255 255 Port s Dst IP 0 0 0 0 Mask 255 255 255 255 Port s Proto IP TOS Precedence IndicateswhethertheACL is applied to an interface Remark Field Appears if remark configured Empty field indicates that...

Page 526: ... Entry Lists the content of the ACEs in the selected ACL Action Permit forward or deny drop a packet when it is compared to the criteria in the applicable ACE and found to match Includes the optional log option if used in deny actions Remark Displays any optional remark text configured for the selected ACE IP Used for Standard ACLs The source IPv4 address to which the configured mask is applied to...

Page 527: ... section Note Beginning with software release K_12_XX or later copy commands that used either tftp or xmodem also include an option to use usb as a source or destination device for file transfers So although the following example highlights tftp bear in mind that xmodem or usb can also be used to transfer ACLs to and from the switch Creating or Editing an ACL Offline The Offline Process 1 Begin by...

Page 528: ...mask of 255 255 255 0 and a TFTP server at 10 10 10 1 ID LIST 20 IN Deny Telnet access to a server at 10 10 10 100 on VLAN 10 from these three addresses on VLAN 20 with ACL logging 10 10 20 17 10 10 20 23 10 10 20 40 Allow any access to the server from all other addresses on VLAN 20 Permit internet access to these two address on VLAN 20 but deny access to all other addresses on VLAN 20 without ACL...

Page 529: ...ip access list extended LIST 20 IN CREATED ON JUNE 27 10 remark THIS ACE APPLIES INBOUND ON VLAN 20 10 permit tcp any host 10 10 20 98 eq http 20 permit tcp any host 10 10 20 21 eq http 30 deny tcp any 10 10 20 1 24 eq http VLAN 20 SOURCES TO VLAN 10 DESTINATIONS 40 deny tcp host 10 10 20 17 host 10 10 10 100 eq telnet log 50 deny tcp host 10 10 20 23 host 10 10 10 100 eq telnet log 60 deny tcp ho...

Page 530: ...10 1 LIST 20 IN txt pc Running configuration may change do you want to continue y n Y 1 ip access list extended LIST 20 IN 3 CREATED ON JUNE 27 5 10 remark THIS ACE APPLIES INBOUND ON VLAN 20 6 10 permit tcp any host 10 10 20 98 eq http 7 20 permit tcp any host 10 10 20 21 eq http 8 30 deny tcp any 10 10 20 1 24 eq http 10 VLAN 20 SOURCES TO VLAN 10 DESTINATIONS 12 40 deny tcp host 10 10 20 17 hos...

Page 531: ... 10 10 20 1 0 0 0 255 eq 80 40 deny tcp 10 10 20 17 0 0 0 0 10 10 10 100 0 0 0 0 eq 23 log 50 deny tcp 10 10 20 23 0 0 0 0 10 10 10 100 0 0 0 0 eq 23 log 60 deny tcp 10 10 20 40 0 0 0 0 10 10 10 100 0 0 0 0 eq 23 log 70 permit ip 10 10 20 1 0 0 0 255 10 10 10 100 0 0 0 0 80 remark VLAN 30 POLICY 80 deny ip 10 10 30 1 0 0 0 255 10 10 10 100 0 0 0 0 90 permit ip 10 10 30 1 0 0 0 255 10 10 10 1 0 0 0...

Page 532: ...the current console Telnet or SSH session You can use logging to configure up to six Syslog server destinations Requirements for Using ACL Logging The switch configuration must include an ACL 1 assigned to a port trunk or static VLAN interface and 2 containing an ACE configured with the deny action and the log option If the RACL application is used then IPv4 routing must be enabled on the switch F...

Page 533: ... line summary of any additional deny matches for that ACE and any other deny ACEs for which the switch detected a match If no further log messages are generated in the wait period the switch suspends the timer and resets itself to send a message as soon as a new deny match occurs The data in the message includes the information illustrated in figure 10 43 Figure 10 43 Content of a Message Generate...

Page 534: ...For example suppose that you want to configure the following operation On VLAN 10 configure an extended ACL with an ACL ID of NO TELNET and use the RACL in option to deny Telnet traffic entering the switch from 10 10 10 3 to any routed destination Note that this assignment will not filter Telnet traffic from 10 10 10 3 to destinations on VLAN 10 itself Configure the switch to send an ACL log messa...

Page 535: ... 3 HP Switch config logging facility syslog HP Switch config debug destination logging HP Switch config debug destination session HP Switch config debug acl HP Switch config write mem HP Switch config show debug Debug Logging Destination Logging 10 10 20 3 Facility syslog Session Enabled debug types event acl log HP Switch config show access list config ip access list extended NO TELNET 10 remark ...

Page 536: ... or other destination device s The first time a packet matches an ACE with deny and log configured the message is sent immediately to the destination and the switch starts a wait period of approximately five minutes default value The exact dura tion of the period depends on how the packets are internally routed At the end of the wait period the switch sends a single line summary of any additional ...

Page 537: ...rmine whether a particular traffic type is being filtered by the intended ACE in an assigned list or if traffic from a particular device or network is being filtered as intended Note This section describes the command for monitoring static ACL performance To monitor RADIUS assigned ACL performance use either of the following commands show access list radius all port list show port access authentic...

Page 538: ...on a specific interface Total This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL s counters were last reset to 0 zero For example figure 10 46 illustrates both IPv6 and IPv4 ACL activity HP Switch show statistics aclv6 IPV6 ACL vlan 20 vlan HitCounts for ACL IPV6 ACL Total 12 10 permit icmp 0 fe80 20 2 128 128 6 20 deny tcp 0 fe8...

Page 539: ...n ACL line 10 below there has been a total of 37 matches on the ACE since the last time the ACL s counters were reset Total 37 10 permit icmp 0 fe80 20 2 128 128 Note This ACL monitoring feature does not include hits on the implicit deny that is included at the end of all ACLs Resetting ACE Hit Counters to Zero Using the clear statistics command page 10 118 Removing an ACL from an interface zeros ...

Page 540: ...t icmp 0 fe80 20 3 128 128 136 30 permit tcp fe80 20 1 128 0 eq 23 2 40 deny icmp 0 fe80 20 1 128 128 10 50 deny tcp 0 0 eq 23 8 60 deny icmp 0 0 133 155 70 permit ipv6 0 0 HP Switch sho statistics aclv4 102 vlan 20 vlan HitCounts for ACL 102 Total 1 10 permit icmp 10 10 20 3 0 0 0 0 10 10 20 2 0 0 0 0 8 2 20 deny icmp 10 10 20 3 0 0 0 0 10 10 20 1 0 0 0 0 8 log 2 30 deny icmp 10 10 20 2 0 0 0 0 1...

Page 541: ...CL V6 02 Total 5 10 permit icmp 0 fe80 20 2 128 128 4 20 permit icmp 0 fe80 20 3 128 128 136 30 permit tcp fe80 20 1 128 0 eq 23 2 40 deny icmp 0 fe80 20 1 128 128 10 50 deny tcp 0 0 eq 23 8 60 deny icmp 0 0 133 155 70 permit ipv6 0 0 HP Switch clear statistics aclv6 V6 02 vlan 20 vlan HP Switch show statistics aclv6 V6 02 vlan 20 vlan HitCounts for ACL V6 02 Total 0 10 permit icmp 0 fe80 20 2 128...

Page 542: ...rfaces only the affected ACE counters for that interface are incremented Other instances of the same ACL applied to other interfaces are not affected For example suppose that An ACL named V6 01 is configured as shown in figure 10 50 to block Telnet access to a workstation at FE80 20 2 which is connected to a port belonging to VLAN 20 The ACL is assigned as a PACL port ACL on port B2 which is also ...

Page 543: ...ACL V6 01 assigned as a PACL on port B2 VLAN 20 FE80 20 1 5400zl Switch FE80 20 117 Port B2 HP Switch ping6 fe80 20 2 vlan20 fe80 0000 0000 0000 0000 0000 0020 0002 is alive time 5 ms HP Switch telnet fe80 20 2 vlan20 Telnet failed Connection timed out HP Switch HP Switch show statistics aclv6 IP 01 port b2 Hit Counts for ACL IPV6 ACL Total 1 10 permit icmp fe80 20 3 128 fe80 20 2 128 128 5 20 den...

Page 544: ...hat same counter on all RACL assigned instances of that ACL The ACE counters for VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the same ACL For example suppose that an IPv4 ACL named Test 1 is configured as shown in figure 10 54 to block Telnet access to a server at 10 10 20 12 on VLAN 20 and that the Test 1 ACL is assigned to VLANs as follows VLAN 20 ...

Page 545: ...ment the counters for ACE 10 on both RACL instances of the Test 1 ACL Using the network infigure 10 55 a device at 10 10 20 4 on VLAN 20 attempting to ping and Telnet to 10 10 20 12 is filtered through the VACL instance of the Test 1 ACL on VLAN 20 and results in the following Figure 10 56 Ping and Telnet from 10 10 20 4 to 10 10 20 2 Filtered by the Assignment of Test 1 as a VACL on VLAN 20 VLAN ...

Page 546: ... 20 vlan Hit Counts for ACL Test 1 Total 5 10 deny tcp 0 0 0 0 255 255 255 255 10 10 20 2 0 0 0 0 eq 23 log 2 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 HP Switch config show statistics aclv4 Test 1 vlan 50 in Hit Counts for ACL Test 1 Total 0 10 deny tcp 0 0 0 0 255 255 255 255 10 10 20 2 0 0 0 0 eq 23 log 0 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 Indicates ...

Page 547: ... 0 0 0 0 eq 23 log 1 20 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 255 255 255 HP Switch config Indicates the same type of data as shown in figure 10 57 for the VACL assignment of the Test 1 ACL That is the Ping attempt incremented the counters for ACE 20 and the Telnet attempt incremented the counters for ACE 10 in the VLAN 50 RACL instance of the ACL HP Switch config show statistics aclv4 Tes...

Page 548: ...g statement included and apply the ACL to an appropriate VLAN Logging enables you to selectively test specific devices or groups However excessive logging can affect switch performance For this reason HP recommends that you remove the logging option from ACEs for which you do not have a present need Also avoid config uring logging where it does not serve an immediate purpose Note that ACL logging ...

Page 549: ... you assign an ACL to an interface and subsequently add or replace ACEs in that ACL each new ACE becomes active when you enter it If the ACL is configured on multiple interfaces when the change occurs then the switch resources must accom modate all applications of the ACL If there are insufficient resources to accommodate one of several ACL applications affected by the change then the change is no...

Page 550: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...

Page 551: ...work gateway address is assigned by a rogue DHCP server Address exhaustion of available addresses in the network DHCP server caused by repeated attacker access to the network and numer ous IP address requests Dynamic ARP protection Protects your network from ARP cache poisoning as in the following cases An unauthorized device forges an illegitimate ARP response and network devices use the response...

Page 552: ...it legitimate traffic indicated by an unusually high use of specific system resources Attempts to attack the switch s CPU and introduce delay in system response time to new network events Attempts by hackers to access the switch indicated by an excessive number of failed logins or port authentication failures Attempts to deny switch service by filling the forwarding table indi cated by an increase...

Page 553: ...mmand Page dhcp snooping page 11 5 authorized server page 11 8 database page 11 12 option page 11 9 trust page 11 7 verify page 11 11 vlan page 11 7 show dhcp snooping page 11 5 show dhcp snooping stats page 11 6 dhcp snooping binding page 11 13 debug dhcp snooping page 11 13 ...

Page 554: ...ndition for Dropping a Packet Packet Types A packet from a DHCP server received on an untrusted port DHCPOFFER DHCPACK DHCPNACK If the switch is configured with a list of authorized DHCP server addresses and a packet is received from a DHCP server on a trusted port with a source IP address that is not in the list of authorized DHCP server addresses DHCPOFFER DHCPACK DHCPNACK Unless configured to n...

Page 555: ...addresses are considered valid Maximum 20 authorized servers database To configure a location for the lease database enter a URL in the format tftp ip addr ascii string The maximum number of characters for the URL is 63 option Add relay information option Option 82 to DHCP client packets that are being forwarded out trusted ports The default is yes add relay information trust Configure trusted por...

Page 556: ... Information DHCP Snooping Yes Enabled Vlans Verify MAC Yes Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id mac Store lease database Not configured Port Trust B1 No B2 No HP Switch config show dhcp snooping stats Packet type Action Reason Count server forward from trusted port 8 client forward to trusted port 8 server drop received on untrusted port 2 server drop unauth...

Page 557: ...oping enabled on VLAN 4 Figure 11 3 Example of DCHP Snooping on a VLAN Configuring DHCP Snooping Trusted Ports By default all ports are untrusted To configure a port or range of ports as trusted enter this command HP Switch config dhcp snooping trust port list You can also use this command in the interface context in which case you are not able to enter a list of ports HP Switch config dhcp snoopi...

Page 558: ...ve a source address in the autho rized server list in order to be considered valid If no authorized servers are configured all servers are considered valid You can configure a maximum of 20 authorized servers To configure a DHCP authorized server address enter this command in the global configuration context HP Switch config dhcp snooping authorized server ip address HP Switch config dhcp snooping...

Page 559: ...s for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion Option 82 inserted in this manner allows the association of the client s lease with the correct port even when another device is acting as a DHCP relay or when the server is on the same subnet as the client Not e DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled...

Page 560: ...ion in the packet remote id Set the value used for the remote id field of the relay information option mac The switch mac address is used for the remote id This is the default subnet ip The IP address of the VLAN the packet was received on is used for the remote id If subnet ip is specified but the value is not set the MAC address is used mgmt ip The management VLAN IP address is used as the remot...

Page 561: ... ip Figure 11 6 Example of DHCP Snooping Option 82 using the VLAN IP Address Disabling the MAC Address Check DHCP snooping drops DHCP packets received on untrusted ports when the check address chaddr field in the DHCP header does not match the source MAC address of the packet default behavior To disable this checking use the no form of this command HP Switch config dhcp snooping verify mac HP Swit...

Page 562: ...nfigure this location use this command Syntax no dhcp snooping database file tftp ip address ascii string delay 15 86400 timeout 0 86400 file Must be in Uniform Resource Locator URL format tftp ip address ascii string The maximum filename length is 63 characters delay Number of seconds to wait before writing to the database Default 300 seconds timeout Number of seconds to wait for the database fil...

Page 563: ... lease database from the tftp server it waits until that operation times out and then begins forwarding DHCP packets Enabling Debug Logging To enable debug logging for DHCP snooping use this command Operational Notes DHCP is not configurable from the WebAgent or menu interface If packets are received at too high a rate some may be dropped and need to be re transmitted Syntax show dhcp snooping bin...

Page 564: ...nation address is out a port configured as untrusted Ceasing untrusted port destination logs for s More that one client unicastpacketwithanuntrustedportdestinationwasdropped Toavoidfilling the log file with repeated attempts untrusted port destination attempts will not be logged for the specified duration Unauthorized server ip address detected on port port number Indicates that an unauthorized DH...

Page 565: ...ith repeated attempts client address mismatch events will not be logged for the specified duration Attempt to release address ip address leased to port port number detected on port port number dropped Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to Ceasing bad release logs for s ...

Page 566: ...LAN node to be sent to the attacker s MAC address As a result the attacker can intercept traffic for other hosts in a classic man in the middle attack The attacker gains access to any traffic sent to the poisoned address and can capture passwords e mail and VoIP calls or even modify traffic before resending it Another way in which the ARP cache of known IP addresses and associated MAC addresses ca...

Page 567: ...m devices that have been assigned static IP addresses are also verified Supports additional checks to verify source MAC address destination MAC address and IP address ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match the addresses in the Ethernet header are dropped When dynamic ARP protection is enabled only ARP request and reply packets with valid IP t...

Page 568: ... requests and responses on the port Each intercepted packet is checked to see if its IP to MAC binding is valid If a binding is invalid the switch drops the packet You must configure trusted ports carefully For example in the topology in Figure 11 9 Switch B may not see the leased IP address that Host 1 receives from the DHCP server If the port on Switch B that is connected to Switch A is untruste...

Page 569: ... Layer 2 domain Because ARP packets do not cross Layer 2 domains the unprotected switches cannot unknowingly accept ARP packets from an attacker and forward them to protected switches through trusted ports To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports enter the arp protect trust command at the global configuration level The switch does not check ARP request...

Page 570: ...ding command at the global configuration level An example of the ip source binding command is shown here HP Switch config ip source binding 0030c1 7f49c0 interface vlan 100 10 10 20 1 interface A4 Not e Note that the ip source binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings The Dynamic ARP Protection and Dynamic IP Lockdown features share a ...

Page 571: ...Dynamic ARP Protection To display the current configuration of dynamic ARP protection including the additional validation checks and the trusted ports that are configured enter the show arp protect command Syntax no arp protect validate src mac dest mac ip src mac Optional Drops any ARP request or response packet in which the source MAC address in the Ethernet header does not match the sender MAC ...

Page 572: ...tect statistics Command ARP Protection Information Enabled Vlans 1 4094 Validate dest mac src mac Port Trust B1 Yes B2 Yes B3 No B4 No B5 No HP Switch config show arp protect HP Switch config show arp protect statistics 1 2 Status and Counters ARP Protection Counters for VLAN 1 Forwarded pkts 10 Bad source mac 2 Bad bindings 1 Bad destination mac 1 Malformed pkts 0 Bad IP address 0 Status and Coun...

Page 573: ... spoofing on a per port and per VLAN basis When dynamic IP lockdown is enabled IP packets in VLAN traffic received on a port are forwarded only if they contain a known source IP address and MAC address binding for the port The IP to MAC address binding can either be statically configured or learned by the DHCP Snooping feature HP Switch config debug arp protect 1 ARP request is valid DARPP Allow A...

Page 574: ...e internal lists are dynamically created from known IP to MAC address bindings to filter VLAN traffic on both the source IP address and source MAC address Prerequisite DHCP Snooping Dynamic IP lockdown requires that you enable DHCP snooping as a prerequisite for its operation on ports and VLAN traffic Dynamic IP lockdown only enables traffic for clients whose leased IP addresses are already stored...

Page 575: ...oved The port reverts back to switching traffic as usual Filtering IP and MAC Addresses Per Port and Per VLAN This section contains an example that shows the following aspects of the Dynamic IP Lockdown feature Internal Dynamic IP lockdown bindings dynamically applied on a per port basis from information in the DHCP Snooping lease database and stati cally configured IP to MAC address bindings Pack...

Page 576: ...lockdown Operating Notes Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets which are handled by DHCP snooping DHCP snooping is a prerequisite for Dynamic IP Lockdown operation The following restrictions apply DHCP snooping ...

Page 577: ... on how to configure and use DHCP snooping see DHCP Snooping on page 11 3 After you enter the ip source lockdown command enabled globally with thedesiredportsenteredin port list thedynamicIPlockdownfeature remains disabled on a port if any of the following conditions exist If DHCP snooping has not been globally enabled on the switch If the port is not a member of at least one VLAN that is enabled ...

Page 578: ... enabled globally or on ports the bindings associated with the ports are written to hardware This occurs during these events Switch initialization Hot swap A dynamic IP lockdown enabled port is moved to a DHCP snooping enabled VLAN DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP lockdown is enabled on the ports Potential Issues with Bindings When dynamic IP lo...

Page 579: ... Dynamic IP Lockdown Configuration To display the ports on which dynamic IP lockdown is configured enter the show ip source lockdown status command at the global configuration level Syntax no ip source binding vlan id ip address mac address port number vlan id Specifies a valid VLAN ID number to bind with the specified MAC and IP addresses on the port in the DHCP binding database ip address Specif...

Page 580: ...y the static configurations of IP to MAC bindings stored in the DHCP lease database enter the show ip source lockdown bindings command Anexampleoftheshowipsource lockdownbindingscommandoutputisshown in Figure 11 6 Syntax show ip source lockdown bindings port number port number Optional Specifies the port number on which source IP to MAC address and VLAN bindings are configured in the DHCP lease da...

Page 581: ...command To send command output to the active CLI session enter the debug destination session command Counters for denied packets are displayed in the debug dynamic ip lockdown command output Packet counts are updated every five minutes An example of the command output is shown in Figure 11 7 When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP to MAC addr...

Page 582: ... HP Switch config debug dynamic ip lockdown DIPLD 01 01 90 00 01 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 1 packets DIPLD 01 01 90 00 06 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 294 packets DIPLD 01 01 90 00 11 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 16 25 denied ip 192 168 2 100 0 PORT 4 192 168 2 1 0 300 packets DIPLD 01 01 90 00 21 25 de...

Page 583: ...h use the snooping database 3400 2800 32 bindings per port up to 512 manual bindings Up to 32 VLANs with DHCP snooping enabled This is not guaranteed as the hardware resources are shared with QoS 2610 8 bindings per port up to 512 manual bindings Globally 118 to 125 hosts Up to 8 VLANs with DHCP snooping enabled This is not guaranteed as the hardware resources are shared with IDM ACLs The number o...

Page 584: ...ssive system resource usage resulting in insufficient resources for legitimate traffic login failures min The count of failed CLI login attempts or SNMP management authentication failures This indicates an attempt has been made to manage the switch with an invalid login or password Also it might indicate a network management station has not been configured with the correctSNMP authentication param...

Page 585: ... multiple messages are generated In the preceding example if a condition is reported 4 times persists for more than 15 minutes then alerts cease for 15 minutes If after 15 minutes the condition still exists the alerts cease for 30 minutes then for 1 hour 2 hours 4 hours 8 hours andafter thatthepersisting conditionis reported once a day As with other event log entries these alerts can be sent to a ...

Page 586: ...n events per minute discarded to help free CPU resources when busy Default threshold setting when enabled 100 med login failures The count of failed CLI login attempts or SNMP management authen tication failures per hour Default threshold setting when enabled 10 med mac address count The number of MAC addresses learned in the forwarding table You must enter a specific value in order to enable this...

Page 587: ...of the system delay parameter HP Switch config no instrumentation monitor system delay To adjust the alert threshold for the MAC address count to the low value HP Switch config instrumentation monitor mac address count low To adjust the alert threshold for the MAC address count to a specific value HP Switch config instrumentation monitor mac address count 767 To enable monitoring of learn discards...

Page 588: ...nstrumentation Monitor configuration is to use the show run command However the show run com mand output does not display the threshold values for each limit set HP Switch show instrumentation monitor configuration PARAMETER LIMIT mac address count 1000 med ip address count 1000 med system resource usage 50 med system delay 5 high mac moves min 100 med learn discards min 100 med ip port scans min ...

Page 589: ...other HP switches in the above table or switches not listed here refer to the documentation provided for those switches Models Source Port Filters Protocol Filters Multicast Filters 8200zl Switches Yes Yes Yes 6600 Switches Yes Yes Yes 6400cl Switches Yes No No 5400zl Switches Yes Yes Yes 4200vl Switches Yes No No 3500 3500yl Switches Yes Yes Yes 3400cl Switches Yes No No 2800 Switches Yes No No 2...

Page 590: ...gured Up to 8 with more than 1024 VLANs configured Protocol filters up to 7 Using Port Trunks with Filters The switch manages a port trunk as a single source or destination for source port filtering If you configure a port for filtering before adding it to a port trunk the portretains the filter configuration butsuspends the filtering action while a member of the trunk If you want a trunk to perfo...

Page 591: ... physical source port will be forwarded or dropped on a per port destination basis Multicast Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports the default or dropped on a per port destination basis Protocol Inbound traffic having the selected frame protocol type will be forwarded or dropped on a per port destination basis End Node A Server Switch E8212zl ...

Page 592: ...orts and or trunks the switch automatically forwards traffic to the outbound ports and or trunks you do not specifically configure to drop traffic Destination ports that comprise a trunk are listed collectively by the trunk name such as Trk1 instead of by individual port name Packets allowed for forwarding by a source port filter are subject to thesameoperationasinboundpacketsonaportthatisnotconfi...

Page 593: ...using this capability you can define a source port filter once and apply it to multiple ports and port trunks This can make it easier to configure and manage source port filters on your switch The commands to define configure apply and display the status of named source port filters are described below Switch Server A Port 7 Port 8 Server B Port 9 Server C Port 5 Workstation X This list shows the ...

Page 594: ... applied to any ports Defining and Configuring Named Source Port Filters Thenamedsource portfiltercommandoperatesfromtheglobalconfiguration level Syntax no filter source port named filter filter name Defines or deletes a named source port filter The filter name may contain a maximum of 20 alpha numeric characters longer names may be specified but they are not displayed A filter name cannot be a va...

Page 595: ...x filter source port named filter filter name drop destination port list Configures the named source port filter to drop traffic having a destination on the ports and or port trunks in the destination port list Can be followed by the forward option if you have other destination ports or port trunks previously set to drop that you want to change to forward For example filter source port named filte...

Page 596: ... where each filter entry includes a Filter Name Port List and Action Filter Name The filter name used when a named source port filter is defined Non named source port filters are automatically assigned the port or port trunk number of the source port Port List Lists the port and port trunk destinations using the filter Named source port filters that are not in use display NOT USED Action Lists the...

Page 597: ...ource port named filter accounting drop 1 6 8 9 12 26 HP Switch config filter source port named filter no incoming web drop 7 10 11 HP Switch config show filter source port Traffic Security Filters Filter Name Port List Action web only NOT USED drop 2 26 accounting NOT USED drop 1 6 8 9 12 26 no incoming web NOT USED drop 7 10 11 HP Switch config Ports and port trunks using the filter When NOT USE...

Page 598: ...Source Port 9 8 Source Port 12 20 Source Port 24 21 Source Port 25 22 Source Port 26 23 Source Port 7 24 Source Port 10 25 Source Port 11 26 Source Port 1 Indicates the port number or port trunknameofthesourceportortrunk assigned to the filter An automatically assigned index number used to identify the filter for a detailed information listing A filter retains its assigned IDX number for as long a...

Page 599: ... Action 1 10 100TX Forward 2 10 100TX Drop 3 10 100TX Drop 4 10 100TX Drop 5 10 100TX Drop 6 10 100TX Drop 7 10 100TX Drop 8 10 100TX Drop 9 10 100TX Drop 10 10 100TX Drop 11 10 100TX Drop 12 10 100TX Drop HP Switch config show filter 24 Traffic Security Filters Filter Type Source Port Source Port 10 Dest Port Type Action 1 10 100TX Drop 2 10 100TX Drop 3 10 100TX Drop 4 10 100TX Drop 5 10 100TX D...

Page 600: ...ce Port Source Port 1 Dest Port Type Action 1 10 100TX Forward 2 10 100TX Forward 3 10 100TX Forward 4 10 100TX Forward 5 10 100TX Forward 6 10 100TX Forward 7 10 100TX Drop 8 10 100TX Forward 9 10 100TX Forward 10 10 100TX Drop 11 10 100TX Drop 12 10 100TX Forward Accounting Server 1 Port 7 Port 1 Router to the Internet Port 12 Accounting Workstation 3 Port 13 Accounting Workstation 4 Network Des...

Page 601: ...filters we first remove the existing source port filters on the port The named source port filters now manage traffic on the switch ports as shown below using the show filter source port command HP Switch config filter source port named filter accounting forward 8 12 13 HP Switch config filter source port named filter no incoming web drop 8 12 13 HP Switch config HP Switch config show filter sourc...

Page 602: ...e IGMP controlled filter overrides the static multicast filter configured on that port Note that in the default configuration IGMP is disabled on VLANs configured in the switch To enable IGMP on a specific VLAN use the vlan vid ip igmp command For more on this command refer to the chapter titled Multimedia Traffic Control with IP Multicast IGMP in the Multicast and Routing Guide for your switch Th...

Page 603: ...affic Security filters configured with a multicast filter type and a multicast address in this range will continue to be in effect unless IGMP learns of a multicast group destination in this range In this case IGMP takes over the filtering function for the multicast destination address es for as long as the IGMP group is active If the IGMP group subsequently deactivates the static filter resumes c...

Page 604: ...Configuring Traffic Security Filters Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify 1 Select the static filter type s 2 For inbound traffic matching the filter type determine the filter action you want for each outbound destination port on the switch forward or drop The default action for a new filt...

Page 605: ...p traffic for the ports and or trunks in the designated destination port list Can be followed by forward destination port list if you have other destination ports set to drop that you want to change to forward If no drop or forward action is specified the switch automatically creates a filter with a forward action from the designated source port or trunk to all destination ports or trunks on the s...

Page 606: ...tion uses the same command as is used for configuring a filter on an individual port However the configuration process requires two steps 1 Configure the port trunk 2 Configure a filter on the port trunk by using the trunk name trk1 trk2 trk6 instead of a port name For example to create a filter on port trunk 1 to drop traffic received inbound for trunk 2 and ports 10 15 HP Switch config filter so...

Page 607: ...lter exists for a given source port the filter on traffic from port 8 appears as shown on the right in figure 12 14 HP Switch config filter source port 5 drop 2 HP Switch config trunk 5 6 trk1 HP Switch config show filter Traffic Security Filters IDX Filter Type Value 1 Source Port 5 HP Switch config show filter 1 Traffic Security Filters Filter Type Source Port Source Port 5 Dest Port Type Action...

Page 608: ... no filter multicast mac address Specifies a multicast address Inbound traffic received on any port with this multicast address will be filtered Default Forward on all ports The no form of the command deletes the multicast filter for the mac address multicast address and returns the destination ports for that filter to the Forward action forward drop port list Specifies whether the designated dest...

Page 609: ... index number 2 and then configure two new filters the first new filter will receive the index number 2 and the second new filter will receive the index number 4 This is because the index number 2 was made vacant by the earlier deletion and was therefore the lowest index number available for the next new filter Filter Type Filter Value Action Destination Ports Source Port Inbound ports A1 A2 Drop ...

Page 610: ... number for as long as the filter exists in the switch The switch assigns the lowest available IDX number to a new filter This can result in a newer filter having a lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing Filter Type Indicates the type of filter assigned to the IDX number source port multicast or protocol Value Indicates the port numb...

Page 611: ... HP Switch config show filter 4 Traffic Security Filters Filter Type Multicast Multi cast Addres 010000 224466 Dest Port Type Action A1 1000LX Forward A2 Forward A3 Forward A4 1000SX Forward B1 100 1000T Drop B2 100 1000T Drop B3 100 1000T Drop B4 100 1000T Drop C1 10 100TX Forward C2 10 100TX Forward C3 10 100TX Forward Filter Index Numbers AutomaticallyAssigned Listsallfiltersconfigured in the s...

Page 612: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...

Page 613: ...er to use the same entering valid user credentials for access from multiple points within the network General Features 802 1X on the switches covered in this guide includes the following Switch operation as both an authenticator for supplicants having a point to point connection to the switch and as a supplicant for point to point connections to other 802 1X aware switches Authentication of 802 1X...

Page 614: ...g the include credentials command For infor mation about the password port access command see Do These Steps Before You Configure 802 1X Operation on page 13 13 On demand change of a port s configured VLAN membership status to support the current client session Session accounting with a RADIUS server including the accounting update interval Use of Show commands to display session counters Support ...

Page 615: ...only on ports where a single 802 1X capable client supplicant has entered authorized RADIUS user credentials For reasons outlined below this option is recommended for applications where only one client at a time can connect to the port Using this option the port processes all IP traffic as if it comes from the same client Thus in a topology where multiple clients can connect to the same port at th...

Page 616: ... want to allow only authenticated clients on the port then user based access control page 13 3 should be used instead of port based access control Using the user based method enables you to specify up to 32 authenticated clients Not e Port Based 802 1X can operate concurrently with Web Authentication or MAC Authentication on the same port However this is not a commonly used application and is not ...

Page 617: ...port based VLAN membership unless MAC based VLANs are enabled Please see MAC Based VLANs on page 6 51 Authentication Server The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator In the case of a switch running 802 1X this is a RADIUS server unless local authentication is used in which case the switch performs this function using i...

Page 618: ...es Tagged Membership in a VLAN This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously If a client connected to the port has an operating system that supports 802 1Q VLAN tagging then the client can access VLANs for which the port is a tagged member If the client does not support VLAN tagging then it can access only a VLAN for which the port is an untagged member...

Page 619: ...ady using the port Untagged Membership in a VLAN A port can be an untagged member of only one VLAN unless MAC based VLANs are enabled Please see MAC Based VLANs on page 6 51 In the factory default configuration all ports on the switch are untagged members of the default VLAN An untagged VLAN membership is required for a client that does not support 802 1q VLAN tagging A port can simultaneously hav...

Page 620: ...uest for the client 3 The switch responds in one of the following ways If 802 1X on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the client ii The client then provides identifying credentials such as a user certificate which the switch forwards to the RADIUS ser...

Page 621: ...en the switch assigns the port to the VLAN entered in the port s 802 1X configuration as an Authorized Client VLAN if configured c 3rd Priority If the port does not have an Authorized Client VLAN configured but does have a static untagged VLAN membership in its configuration then the switch assigns the port to this VLAN A port assigned to a VLAN by an Authorized Client VLAN configuration or a RADI...

Page 622: ...DIUS Assigned VLAN Authorized VLAN Configured Another Old Client Already Using Port Are All Old Clients On Unauthorized VLAN No No Yes Yes Assign New Client to RADIUS Specified VLAN Assign New Client toAuthorizedVLAN Configured on Port Assign New Client to Untagged VLAN Configured On Port Yes New Client VLAN Same As Old Client VLAN No Drop All Clients UsingUnauthorized VLAN No Reject New Client On...

Page 623: ...on When a port on the switch is configured as an authenticator one authenticated client opens the port Other clients that are not running an 802 1X supplicant application can have access to the switch and network through the opened port If another client uses an 802 1X supplicant application to access the opened port then a re authentication occurs using the RADIUS configuration response for the l...

Page 624: ...supplicant or both Some configuration instances block traffic flow or allow traffic to flow without authentication Refer to Configuring Switch Ports To Oper ate As Supplicants for 802 1X Connections to Other Switches on page 13 50 To help maintain security 802 1X and LACP cannot both be enabled on the same port If you try to configure 802 1X on a port already configured for LACP or the reverse you...

Page 625: ...al operator password config ured with the password command is not accepted as an 802 1X authenti cator credential The port access command is used to configure the operator username and password that are used as 802 1X credentials for networkaccesstotheswitch 802 1Xnetworkaccessisnotallowedunless a password has been configured using thepasswordport access command Syntax password port access user na...

Page 626: ...disable LACP on these ports For more informa tion on disabling LACP refer to the Note on page 13 18 To display the current configuration of 802 1X Web based and MAC authentication on all switch ports enter the show port access config command Figure 13 3 Example of show port access config Command Output HP Switch config password port access user name Jim secret3 HP Switch config show port access co...

Page 627: ...pen VLAN Mode on page 13 32 6 For any port you want to operate as a supplicant determine the user credentials You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports This can also be the same local username password pair that you assign to the switch 7 Unless you are using only the switch s local username and password for 802 1X au...

Page 628: ... get network access Refer to page 13 18 2 If you want to provide a path for clients without 802 1X supplicant software to download the software so that they can initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 13 32 3 Configure the 802 1X authentication type Options include Local Operator username and password using th...

Page 629: ... device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches on page 13 50 Configuring Switch Ports as 802 1X Authenticators 802 1X Authentication Commands Page no aaa port access authenticator port list 13 18 auth vid clear statistics client limit control max requests initialize logoff period quiet period serv...

Page 630: ...rt the switch automatically dis ables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can configure it for 802 1X authentication A Enable the Selected Ports as Authenticators and Enable the Default Port Based Authentication Syntax no aaa port access authenticator port list Enables specified ports to operate as 802 1X au...

Page 631: ...t If a port currently has no authenticated client sessions the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session If another client session begins later on the same port while an earlier session is active the later session will be on the same untagged VLAN membership as the earlier session Note The client limi...

Page 632: ...port based authentication which is the default setting for ports on which authentication is enabled Executing aaa port access authenticator port list enables 802 1X authenti cation on port list and enables port based authentica tion page 13 18 If a port currently has no authenticated client sessions the next authenticated client session the port accepts determines the untagged VLAN membership to w...

Page 633: ...802 1X credentials or support 802 1X authentication You can still configure console Telnet or SSH security on the port auto the default The device connected to the port must support 802 1X authentication and provide valid credentials to get network access Optional You can use the Open VLAN mode to provide a path for clients without 802 1X supplicant software to down load this software and begin th...

Page 634: ...esponse to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication attempts that must time out before...

Page 635: ... to 802 1X Open VLAN Mode on page 13 32 aaa port access authenticator port list logoff period 1 999999999 Configures the period of time the switch waits for client activity before removing an inactive client from the port Default 300 seconds unauth period 0 255 Specifies a delay in seconds for placing a port on the Unauthorized Client VLAN This delay allows more time for a client with 802 1X suppl...

Page 636: ... aaa authentication port access chap radius eap radius local Configures local chap radius MD5 or eap radius as the primary password authentication method for port access The default pri mary authentication is local Refer to the documentation for your RADIUS server application For switches covered in this guide you must use the password port access command to configure the operator user name and pa...

Page 637: ...nd Accounting HP Switch config aaa authentication port access eap radius HP Switch config show authentication Status and Counters Authentication Information Login Attempts 3 Respect Privilege Disabled Login Login Login Access Task Primary Server Group Secondary Console Local None Telnet Local None Port Access EapRadius Webui Local None SSH Local None Web Auth ChapRadius None MAC Auth ChapRadius No...

Page 638: ...in the string It is not backward compatible the character is lost if you use a software version that does not support the character Syntax radius server key global key string Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server specific key This key is optional if all RADIUS server addresses configured in the switch include a ser...

Page 639: ...i cated state As documented in the IEEE 802 1X standard an 802 1X aware port that is unauthenticated can control traffic in either of the following ways In both ingress and egress directions by disabling both the reception of incoming frames and transmission of outgoing frames Only in the ingress direction by disabling only the reception of incoming frames Syntax aaa port access authenticator port...

Page 640: ...eeping workstation for example during early morning hours to perform routine maintenance operations such as patch management and software updates The aaa port access controlled direction in command allows Wake on LAN traffic to be transmitted on an 802 1X aware egress port that has not yet transitioned to the 802 1X authenticated state the controlled direction both setting prevents Wake on LAN tra...

Page 641: ...authenticator config command as shown in Figure 13 12 When an 802 1X authenticated port is configured with the controlled directions in setting eavesdrop prevention is not supported on the port Example Configuring 802 1X Controlled Directions The following example shows how to enable the transmission of Wake on LANtrafficintheegressdirectiononan802 1X awareportbeforeittransitions to the 802 1X aut...

Page 642: ...the result of initial authentication or because of an untagged packet from the client then all 802 1X or Web MAC authenticated guests are removed from the port and the port becomes an untagged member of the client s untagged VLAN Characteristics of Mixed Port Access Mode The port keeps tagged VLAN assignments continuously The port sends broadcast traffic from the VLANs even when there are only gue...

Page 643: ...they are removed by a new authentication an untagged authorization a port state change and so on Configuring Mixed Port Access Mode Figure 13 8 Example of Configuring Mixed Port Access Mode Syntax no aaa port access port list mixed Enables or disables guests on ports with authenticated clients Default Disabled guests do not have access HP Switch config aaa port access 6 mixed ...

Page 644: ...X access security As a result the port would become blocked and the client could not access the network This prevented the client from Acquiring IP addressing from a DHCP server Downloading the 802 1X supplicant software necessary for an authenti cation session The 802 1X Open VLAN mode solves this problem by temporarily suspending the port s static VLAN memberships and placing the port in a desig...

Page 645: ...uthenticated client determines the untagged VLAN membership for that port Clients that connect without trying to authenticate will have access to the untagged VLAN mem bership that is currently assigned to the port VLAN Membership Priorities Following client authentication an 802 1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration The port al...

Page 646: ...2 1X Open VLAN mode authentication Unauthorized Client VLAN Configure this VLAN when unauthenti cated friendly clients will need access to some services before being authenticated or instead of being authenticated Authorized Client VLAN ConfigurethisVLANforauthenticatedclients when the port is not statically configured as an untagged member of a VLAN you want clients to use or when the port is sta...

Page 647: ...the port already has a statically configured untagged membership in another VLAN then the port temporarily closes access to this other VLAN while in the Unauthorized Client VLAN To limit security risks the network services and access available ontheUnauthorized ClientVLANshouldincludeonlywhataclient needs to enable an authentication session If the port is statically configured as a tagged member o...

Page 648: ...on assigns a VLAN and there are no other authenticatedclientsontheport thentheportbecomesamember of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is connected If the port is statically configured as a tagged member of a VLAN andthisVLANisusedastheAuthorized ClientVLAN thentheport temporarily becomes an untagged member of this VLAN when the client becomes authentic...

Page 649: ... this assignment overrides any statically configured untagged VLAN membership on the port while the client is connected If the port is statically configured as a tagged member of a VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN Note that if the port is already configured as a ...

Page 650: ...ged member ofany other VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN then the port becomes an untagged member of that VLAN for the duration of the client connection Note A...

Page 651: ...isconnects from the port then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured After client authen tication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 13 34 TemporaryVLANMembershipDuring a Client Session Port membership in a VLAN assigned to operate as the Unautho...

Page 652: ...nticatedclientdisconnects theswitchremovesthe port from the Authorized Client VLAN and moves it back to the untagged membership in the statically configured VLAN After client authentication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 13 34 Note This rule assumes No alternate VLAN has been assigned by a RADIUS server No other...

Page 653: ...authentication can begin Switch with a Port Configured To Allow Multiple Authorized Client Sessions When a new client is authenticated on a given port If no other clients are authenticated on that port then the port joins one VLAN in the following order of precedence a A RADIUS assigned VLAN if configured b An Authenticated Client VLAN if configured c A static port based VLAN to which the port bel...

Page 654: ...ou can optionally enable switches to allow up to 32 clients per port The Unauthorized Client VLAN feature can operate on an 802 1X configured port regardless of how many clients the port is configured tosupport However allclientson thesameportmustoperatethrough thesameuntaggedVLANmembership unlessMAC basedVLANsare enabled Please see MAC Based VLANs on page 6 52 This means that any client accessing...

Page 655: ...for downloading 802 1X supplicant software to the client and a procedure by which the client initiates the download A client must either have a valid IP address configured before connecting to the switch or download one through the Unauthorized Client VLAN from a DHCP server In the latter case you will need to provide DHCP services on the Unauthorized Client VLAN Ensure that the switch is connecte...

Page 656: ...1X authentication with 802 1X supplicant operation and to provide valid credentials to get network access 2 Configure the 802 1X authentication type Options include Syntax aaa port access authenticator port list control auto Activates 802 1X port access on ports you have config ured as authenticators Syntax aaa authentication port access local eap radius chap radius Determines the type of RADIUS a...

Page 657: ...ver requires a different key than configured for the global encryption key The tilde character is allowed in the string It is not backward compatible the character is lost if you use a software version that does not support the character Syntax radius server key global key string Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a serv...

Page 658: ...teps needed to prepare the switch for using Open VLAN mode refer to Preparation on page 13 42 For example suppose you want to configure 802 1X port access with Open VLAN mode on ports A10 A20 and These two static VLANs already exist on the switch Unauthorized VID 80 Authorized VID 81 Your RADIUS server has an IP address of 10 28 127 101 The server uses rad4all as a server specific key string The s...

Page 659: ... X then the port returns to tagged membership in VLAN X upon successful client authen tication This happens even if the RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VLAN X as anauthorizedVLAN then theportbecomesanuntaggedmemberofVLAN X for the duration of the client connection If there is no Authorized Client or RADIUS assigned VLAN then an authenticated ...

Page 660: ...self If there are multiple clients authenticated on the port if one client loses access and attempts to re authenticate that client will be handled as a new client on the port The first client to authenticate on a port configured to support multiple clients will determine the port s VLAN membership for any subsequent clients that authenticate while an active session is already in effect Option For...

Page 661: ...rrent delay period or logoff period has expired Configure the port access type HP Switch config aaa port access authenticator a10 control auto HP Switch config show port access authenticator a10 config Port Access Authenticator Configuration Port access authenticator activated No Yes Allow RADIUS assigned dynamic GVRP VLANs No No Re auth Access Max Quiet TX Supplicant Server Cntrl Port Period Cont...

Page 662: ...onfigured for 802 1X supplicant operation You want to connect port A1 on switch A to port B5 on switch B Figure 13 10 Example of Supplicant Operation 1 When port A1 on switch A is first connected to a port on switch B or if the ports are already connected and either switch reboots port A1 begins sending start packets to port B5 on switch B 802 1X Authentication Commands page 13 17 802 1X Supplican...

Page 663: ...nse ID packet If switch B is configured for RADIUS authentication it forwards this request to a RADIUS server If switch B is configured for Local 802 1X authentication the authenticator compares the switch A response to its local username and password 2 The RADIUS server then responds with an MD5 access challenge that switch B forwards to port A1 on switch A 3 Port A1 replies with an MD5 hash resp...

Page 664: ...rd on the supplicant port Syntax no aaa port access supplicant ethernet port list Configures a port as a supplicant with either the default supp licant settings or any previously configured supplicant set tings whichever is most recent The no form of the command disables supplicant operation on the specified ports Syntax aaa port access supplicant ethernet port list To enable supplicant operation ...

Page 665: ...ort sends another request up to the number of attempts spec ified by the max start parameter Default 30 seconds max start 1 10 Defines the maximum number of times the supplicant port requests authentication See step 1 on page 13 50 for a description of how the port reacts to the authenticator response Default 3 held period 0 65535 Sets the time period the supplicant port waits after an active 802 ...

Page 666: ...s Supplicants for 802 1X Connections to Other Switches initialize On the specified ports blocks inbound and outbound traf fic and restarts the 802 1X authentication process Affects only ports configured as 802 1X supplicants clear statistics Clears and restarts the 802 1X supplicant statistics coun ters ...

Page 667: ...rt list detailed page 13 63 show port access supplicant page 13 68 Details of 802 1X Mode Status Listings page 13 64 RADIUS server configuration pages 13 25 Syntax show port access authenticator port list config statistics session counters vlan clients detailed If you enter the showport accessauthenticatorcommand with out an optional value the following configuration informa tion is displayed for ...

Page 668: ...e than one authenticated client on the port No No client specific CoS values are applied to any authenticated client on the port cos value Numerical value of the CoS 802 1p priority applied to inbound traffic from one authenticated client For client specific per port CoS values enter the showport accessweb basedclientsdetailed command In Limit Inbound rate limit applied RADIUS ACL Are RADIUS assig...

Page 669: ...1 1 4006 Yes 77777777 No Yes both 2 2 0 MACbased No No No Yes both 3 4 0 1 Yes No No No both Syntax show port access authenticator config port list Displays 802 1X port access authenticator configuration settings including Whether port access authentication is enabled Whether RADIUS assigned dynamic VLANs are supported 802 1X configuration of ports that are enabled as 802 1X authenticators For a d...

Page 670: ...thentication fails and the authentication session ends Quiet Period Period of time in seconds during which the port does not try to acquire a supplicant TX Timeout Period of time in seconds that the port waits to retransmit the next EAPOL PDU during an authentication session Supplicant Timeout Period of time in seconds that the switch waits for a supplicant response to an EAP request Server Timeou...

Page 671: ...ether RADIUS assigned dynamic VLANs are supported 802 1X supplicant s MAC address as determined by the content of the last EAPOL frame received on the port 802 1X traffic statistics from received and transmitted packets 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed HP Switch config show port access authenticator statistics Port Access ...

Page 672: ...ed on each port Duration and status of active 802 1X authentication sessions in progress or terminated User name of 802 1X supplicant included in 802 1X response packets configured with the aaa port access supplicantidentity username command see page 13 49 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed HP Switch config show port access ...

Page 673: ...n ticator Authentication mode used on each port configured with the aaaport accessauthenticatorcontrol command see page 13 21 VLAN ID if any to be used for traffic from 802 1X authenticated clients VLAN ID if any to be used for traffic from unauthenticated clients 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed HP Switch config show port...

Page 674: ...d through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If an 802 1X authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table n a no info is displayed HP Switch config show port access authenticator cl...

Page 675: ...ADIUS server HP Switch config show port access authenticator clients 5 detailed Port Access Authenticator Client Status Detailed Client Base Details Port 5 Session Status Open Session Time sec 999999999 Frames In 999999999 Frames Out 99999999 Username webuser1 MAC Address 001321 eb8063 IP 2001 fecd ba23 cd1f dcb1 1010 9234 4088 Access Policy Details COS Map 70000000 In Limit 87 Untagged VLAN 3096 ...

Page 676: ... activated No No Authenticator Authenticator Current Current Curr Rate Port Status State Backend State VLAN ID Port COS Limit Inbound 1 Closed Connecting Idle 100 No override No override 2 Open Authorized Idle 101 No override No override 3 Closed Connecting Idle 100 No override No override 4 Closed Connecting Idle No PVID No override No override In these two show outputs an Unauth VLAN ID appearin...

Page 677: ...an authenticated 802 1X client is attached to the port Table 13 1 Output for Determining Open VLAN Mode Status Figure 13 18 Upper Status Indicator Meaning Access Control This state is controlled by the following port access command syntax HP Switch config aaa port access authenticator port list control authorized auto unauthorized Auto Configures the port to allow network access to any connected d...

Page 678: ...supplicant is connected to the port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Current Port CoS Refer to the section describing RADIUS support for Identity Driven Management IDM in chapter 6 RADIUS Authentication Authorization and Accounting in this guide Curr Rate Limit Inbound Syntax...

Page 679: ...gged Learn Up A2 Untagged Learn Up A3 Untagged Learn Up A4 Untagged Learn Up B2 Untagged Learn Up B4 Untagged Learn Up B23 Untagged Learn Up B24 Untagged Learn Up Overriden Port VLAN configuration Port Mode B1 Untagged B3 Untagged Note that ports B1 and B3 are not in the upper listing but are included under Overridden Port VLAN configuration This shows that static untagged VLANmembershipsonportsB1...

Page 680: ...ction statistics it most recently received until one of the above events occurs Also if you move a link with an authenticator from one Syntax show port access supplicant port list statistics show port access supplicant port list Shows the port access supplicant configuration excluding the secret parameter for all ports or port list ports configured on the switch as supplicants The Supplicant State...

Page 681: ...bed below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not already configured as an untagged member of the static VLAN specified by the RADIUS server then the switch temporarily assignsport N asanuntaggedmemberoftherequiredVLAN fortheduration of the 802 1X session At the same time if port N ...

Page 682: ...rt is temporarily assigned as a member of an untagged static or dynamic VLAN for use during the client session according to the follow ing order of options a The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication b If RADIUS authentication does not include assigning the port to a VLAN then the switch assigns the port to the authorized client VLAN conf...

Page 683: ... server For information on how to enable the switch to dynamically create 802 1Q compliant VLANs on links to other devices using the GARP VLAN RegistrationProtocol GVRP seethechapteron GVRP intheAdvanced Traffic Management Guide For an authentication session to proceed a port must be an untagged member of the static or dynamic VLAN assigned by the RADIUS server or an authorized client VLAN configu...

Page 684: ...C or Web authentication client sessions all authenticated clients must use the same port based untagged VLAN membership assigned for the earliest currently active client session Therefore on a port where one or more authenticated client sessions are already running all such clients are on the same untagged VLAN unless MAC based VLANs are enabled Please see MAC Based VLANs on page 6 51 If a RADIUS ...

Page 685: ...rt A2 with the requirement that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLAN on any port To view the temporary VLAN assignment as a change in the active configura tion use the show vlan vlan id command as shown in Figure ...

Page 686: ... in Figure 13 22 HP Switch config show vlan 22 Status and Counters VLAN Information VLAN 22 VLAN ID 22 Name vlan 22 Status Static Voice No Jumbo No Port Information Mode Unknown VLAN Status A1 Tagged Learn Up A2 802 1X Learn Up A4 Tagged Learn Up Overriden Port VLAN configuration Port Mode A2 No This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802 1X session This is to accom...

Page 687: ...2 After the 802 1X Session Ends HP Switch config show vlan 33 Status and Counters VLAN Information VLAN 33 VLAN ID 33 Name VLAN_33 Status Static Voice No Jumbo No Port Information Mode Unknown VLAN Status A4 Tagged Learn Up Overriden Port VLAN configuration Port Mode A2 Untagged Even though port A2 is configured as Untagged on static VLAN 33 see figure 13 20 it does not appear in the VLAN 33 listi...

Page 688: ...agement Guide Notes 1 If a port is assigned as a member of an untagged dynamic VLAN the dynamic VLAN configuration must exist at the time of authentication and GVRP for port access authentication must be enabled on the switch If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch the authentication fails 2 After you enable ...

Page 689: ...se the temporary VLAN assignment Re activates and resumes advertising the temporarily disabled VLAN assignment 3 If you disable the use of dynamic VLANs in an authentication session using the noaaaport accessgvrp vlans command client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated This behavior differs form how static VLAN assignment is handled in an authe...

Page 690: ...age 13 52 No server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page 6 84...

Page 691: ...cannot be used MAC Lockdown Page 14 24 This feature also known as Static Addressing is used to prevent station movement and MAC address hijack ing by allowing a given MAC address to use only an assigned port on the switch MAC Lockdown also restricts the client device to a specific VLAN See also the Note above MAC Lockout Page 14 32 This feature enables you to block a specific MAC address so that t...

Page 692: ...ice of security violations Once port security is configured you can then monitor the network for security violations through one or more of the following Alert flags that are captured by network management tools such as PCM Alert Log entries in the WebAgent Event Log entries in the console interface Intrusion Log entries in the menu interface CLI or WebAgent For any port you can configure the foll...

Page 693: ...uide for your switch Port Access Allows only the MAC address of a device authenticated through the switch s 802 1X Port Based access control Refer to chapter 13 Configuring Port Based and User Based Access Control 802 1X For configuration details refer to Configuring Port Security on page 14 12 Eavesdrop Prevention Configuring port security on a given switch port automatically enables Eaves drop P...

Page 694: ...c with unknown destination addresses normally Port access Disabling Eavesdrop Prevention is not applied to the port There is no change Limited continuous When Eavesdrop Prevention is disabled the port transmits packets that have unknown destination addresses The port is secured MAC addresses age normally Eavesdrop Prevention may cause difficulties in learning MAC addresses as with static MAC addre...

Page 695: ...t will be scrambled hpSecurePortEntry 5 Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected the switch security measures block unauthorized traffic without disabling the port This implementation enables you to apply the security configuration to ports on which hubs switches or other devices are connected and to maintain security...

Page 696: ...n Ports configured for either Active or Passive LACP and which are not members of a trunk can be configured for port security Switch A Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A PC 2 MAC Address NOT Authorized by Switch A PC 3 MAC Address NOT Authorized by Switch A Switch C MAC Address NOT Authorized by Switch A Switch A Port Securi...

Page 697: ...ion alarms to an SNMP management station and to 2 option ally disable the port on which the intrusion was detected d How do you want to learn of the security violation attempts the switch detects You can use one or more of these methods Through network management That is do you want an SNMP trap sent to a net management station when a port detects a security violation attempt Through the switch s ...

Page 698: ... Use the global configuration level to execute port security configuration commands Port Security Display Options You can use the CLI to display the current port security settings and to list the currently authorized MAC addresses the switch detects on one or more ports show port security 14 9 show mac address 14 10 port security 14 12 port list 14 12 learn mode 14 12 address limit 14 15 mac addre...

Page 699: ...number show port security port number port number port number The CLI uses the same command to provide two types of port security listings All ports on the switch with their Learn Mode and alarm Action Only the specified ports with their Learn Mode Address Limit alarm Action and Authorized Addresses Without port parameters show port security displays Operating Control settings for all ports on a s...

Page 700: ...fig show port security A3 Port Security Port A3 Learn Mode Continuous Static Address Limit 1 1 Action None None Eavesdrop Prevention Enabled Enabled Authorized Addresses 00906d fdcc00 Syntax show mac address port list mac address vlan vid Without an optional parameter show mac address lists the authorized MAC addresses that the switch detects on all ports mac address Lists the specified MAC addres...

Page 701: ... 9c09cb 7 1 000102 f215c7 5 100 0018fe a5e504 1 222 Switch config show mac address 7 Status and Counters Port Address Table 7 MAC Address VLANs 00000c 07ac00 1 0000aa 9c09cb 1 Switch config show mac address 00000c 07ac00 Status and Counters Address Table 00000c 07ac00 Port VLAN 5 100 Switch config show mac address vlan 1 Status and Counters Address Table VLAN 1 MAC Address Port 00000c 07ac00 1 000...

Page 702: ...drop Prevention on page 14 3 continuous Default Appears in the factory default setting or when you executenoport security Allows the port to learn addresses from the device s to which it is connected In this state the port accepts traffic from any device s to which it is connected Addresses learned in the learn continuous mode will age out and be automatically deleted if they are not used regularl...

Page 703: ... but use mac addressto specify only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses it detects If for example You use mac address to authorize MAC address 0060b0 880a80 for port A4 You use address limit to allow three devices on port A4 and the port detects these MAC addresses 1 080090 13...

Page 704: ...ed and User Based Access Control 802 1X configured Must specify which MAC addresses are allowed for this port Range is 1 default to 8 and addresses are not ageable Addresses are saved across reboots limited continuous Also known as MAC Secure or limited mode The limited parameter sets a finite limit to the number of learned addresses allowed per port You can set the range from 1 the default to a m...

Page 705: ...sic Operation Guide for your switch To set the learn mode to limited use this command syntax port security port list learn mode limited address limit 1 64 action none send alarm send disable The default address limit is 1 but may be set for each port to learn up to 64 addresses The default action is none To see the list of learned addresses for a port use the command show mac port list address lim...

Page 706: ...ed do not age out See also Retention of Static Addresses on page 14 17 action none send alarm send disable Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device or when Learn Mode is set to continuous and there is an address change on a port none Prevents an SNMP trap from being sent none is the default v...

Page 707: ... and the running config file by exe cuting the write memory command The port learns a MAC address after you configure the port for Static learn mode in only the running config file and after the address is learned you execute write memory to configure the startup config file to match the running config file To remove an address learned using either of the preceding methods do one of the following ...

Page 708: ...end disable The next example does the same as the preceding example except that it specifies a MAC address of 0c0090 123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device HP Switch config port security a1 learn mode static mac address 0c0090 123456 action send disable This example configures port A5 to Allow two MAC...

Page 709: ... the second authorized address HP Switch config port security a1 mac address 0c0090 456456 After executing the above command the security configuration for port A1 would be Figure 14 7 Example of Adding a Second Authorized Device to a Port HP Switch config show port security 1 Port Security Port 1 Learn Mode Continuous Static Address Limit 1 2 Action None None Eavesdrop Prevention Enabled Enabled ...

Page 710: ...port s current Address Limit setting then you must increase the Address Limit in order to add the device even if you want to replace one device with another Using the CLI you can simultaneously increase the limit and add the MAC address with a single command For example suppose port A1 allows one authorized device and already has a device listed Figure 14 8 Example of Port Security on Port A1 with...

Page 711: ...hown below This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as authorized for that port To remove a device MAC address from the Authorized list and when the current number of devices equals the Address Limit value you should first reduce the Address Limit value by 1 then remove the unwanted device Not e You can reduce ...

Page 712: ... 14 10 Example of Port A1 After Removing One MAC Address Clear MAC Address Table The following options allow learned MAC addresses to be removed from the MAC address table as follows Remove all MAC addresses Remove all MAC address on a specified VLAN Remove all MAC addresses on a port Remove a specific MAC address on a specific VLAN This functionality is also supported by SNMP HP Switch config sho...

Page 713: ...s from a specific VLAN To view the results from clearing a MAC address use the show mac address command with the appropriate option Syntax clear mac address port port list Removes MAC addresses that were learned on the specified port or ports in port list Use all to remove all MAC addresses in the MAC address table Syntax clear mac address vlan vid Removes all MAC addresses that were learned on th...

Page 714: ...dress on that VLAN The client device with that MAC address is allowed to access other VLANs on the same port or through other ports Not e Port security and MAC Lockdown are mutually exclusive on a given port You can either use port security or MAC Lockdown but never both at the same time on the same port HP Switch config show mac address vlan 2 Status and Counters Address Table VLAN 2 MAC Address ...

Page 715: ...her than the locked down port Thus TCP connections cannot be established Traffic sent to the locked address cannot be hijacked and directed out the port of the intruder If the device computer PDA wireless device is moved to a different port on the switch by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same sw...

Page 716: ...deals with MAC addresses only while MAC Lockdown specifies both a MAC address and a VLAN for lockdown MAC Lockdown on the other hand is not a list It is a global parameter on the switch that takes precedence over any other security mechanism The MAC Address will only be allowed to communicate using one specific port on the switch MAC Lockdown is a good replacement for port security to create tight...

Page 717: ...sages in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a messag...

Page 718: ...s The purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MA...

Page 719: ...ta can travel to Server A You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the edge switches That way users on the edge can still use other network resources but they cannot spoof Server A and hijack data traffic which is intended for that server alone 3500yl Switch 8212zl Switch 8212zl Switch 3500yl Switch Internal Core Netwo...

Page 720: ...ge any traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect agains...

Page 721: ...re would defeat the purpose of using MSTP or having an alternate path Technologies such as MSTP or meshing are primarily intended for an inter nal campus network environment in which all users are trusted MSTP and meshing do not work well with MAC Lockdown If you deploy MAC Lockdown as shown in the Model Topology in figure 14 15 page 14 29 you should have no problems with either security or connec...

Page 722: ...se the MAC Lockout command on all switches To use MAC Lockout you must first know the MAC Address you wish to block How It Works Let s say a customer knows there are unauthorized wireless clients whoshouldnothaveaccess to thenetwork The networkadministrator locks out the MAC addresses for the wireless clients by using the MAC Lockout command lockout mac mac address When the wireless clients then a...

Page 723: ...as a drop As this can quickly fill the MAC table restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured There are limits for the number of VLANs Multicast Filters and Lockout MACs that can be configured concurrently as all use MAC table entries The limits are shown below Table 14 17 Limits on Lockout MACs VLANs Configured Number of MAC Lockout Addres...

Page 724: ...om known devices because it can be configured for all ports on the switch with one command It is possible to use MAC Lockout in conjunction with port security You can use MAC Lockout to lock out a single address deny access to a specific device but still allow the switch some flexibility in learning other MAC Addresses Be careful if you use both together however If a MAC Address is locked out and ...

Page 725: ...ds in the following ways to notify you The switch sets an alert flag for that port This flag remains set until You use either the CLI menu interface or WebAgent to reset the flag The switch is reset to its factory default configuration The switch enables notification of the intrusion through the following means In the CLI The show port security intrusion log command displays the Intrusion Log The ...

Page 726: ...you a history of past intrusions detected on port A1 Figure 14 18 Example of Multiple Intrusion Log Entries for the Same Port The log shows the most recent intrusion at the top of the listing You cannot delete Intrusion Log entries unless you reset the switch to its factory default configuration Instead if the log is filled when the switch detects a new intrusion the oldest entry is dropped off th...

Page 727: ...come disabled again unless you first reset the port s intrusion flag This operation enables the port to continue passing traffic for authorized devices while you take the time to locate and eliminate the intruder Other wise the presence of an intruder could cause the switch to repeatedly disable the port Menu Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags The menu inter...

Page 728: ...h reset occurred at the indicated time and that the intrusion occurred prior to the reset 3 To acknowledge the most recent intrusion entry on port A3 and enable the switch to enter a subsequently detected intrusion on this port type R for Reset alert flags Note that if there are unacknowledged intrusions on two or more ports this step resets the alert flags for all such ports If you then re displa...

Page 729: ...ort A1 Figure 14 21 Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion you would then enter the show port security intrusion log command For example Syntax show interfaces brief List intrusion alert status and other port status informa tion show port security intrusion log List intrusion log content clear intrusion flags Clear in...

Page 730: ...the intrusion from port A1 and enable the switch to enter any subsequentintrusionforportA1intheIntrusionLog executetheport security clear intrusion flag command If you then re display the port status screen you will see that the Intrusion Alert entry for port A1 has changed to No Executing showport securityintrusion log again will result in the same display as above and does not include the Intrus...

Page 731: ...y level of the log entry and FFI is the system module that generated the entry For further information display the Intrusion Log as shown below From the CLI Type the log command from the Manager or Configuration level Syntax log search text For search text you can use ffi security or violation For example HP Switch config show interfaces brief Status and Counters Port Status Intrusion MDI Flow Bca...

Page 732: ...re using the WebAgent through a switch port configured for Static port security and your browser access is through a proxy web server then it is necessary to do the following Enter your PC or workstation MAC address in the port s Authorized Addresses list Enter your PC or workstation s IP address in the switch s IP Authorized Managers list See Using Authorized IP Managers in the Management and Con...

Page 733: ...s that even if an entry is forced off of the Intrusion Log no new intrusions can be logged on the port referenced in that entry until you reset the alert flags LACP Not Available on Ports Configured for Port Security To main tain security LACP is not allowed on ports configured for port security If you configure port security on a port on which LACP active or passive is configured the switch remov...

Page 734: ...14 44 Configuring and Monitoring Port Security Operating Notes for Port Security ...

Page 735: ...deviceby invoking anyother access security features If the Authorized IP Managers feature disallows access to the device then access is denied Thus with authorized IP managers config ured having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch s Authorized IP Managers configuration You can use A...

Page 736: ...15 2 Using Authorized IP Managers Overview Not e When no Authorized IP manager rules are configured the access method feature is disabled that is access is not denied ...

Page 737: ...ment access to the switch even though a duplicate IP address condition exists For these reasons you should enhance your network s security by keepingphysicalaccesstotheswitchrestrictedtoauthorizedpersonnel using the username password and other security features available in the switch and preventing unauthorized access to data on your management stations Access Levels Foreachauthorizedmanageraddre...

Page 738: ...P Entry on page 15 11 To configure the switch for authorized manager access enter the appropriate Authorized Manager IP value specify an IP Mask and select either Manager or Operator for the Access Level The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage ment station Not e If the management VLAN is configured access can only be on t...

Page 739: ...nu Viewing and Configuring IP Authorized Managers Only IPv4 is supported when using the menu to set the management access method From the console Main Menu select 2 Switch Configuration 6 IP Authorized Managers Figure 15 1 Example of How to Add an Authorized Manager Entry HP Switch 22 Apr 2008 20 17 53 CONSOLE MANAGER MODE Switch Configuration IP Managers Authorized Manager IP IP Mask Access Level...

Page 740: ...e switch For example HP Switch 22 Apr 2008 20 17 53 CONSOLE MANAGER MODE Switch Configuration IP Managers Authorized Manager IP 10 10 245 3 IP Mask 255 255 255 255 255 255 255 255 Access Level Operator Access Method ssh Actions Back Add Edit Delete Help Enter an Authorized Manager IP address here Use the default mask to allow access by one management device or edit the mask to allow access by a bl...

Page 741: ...6 authorized managers ip address ip mask access manager operator access method all ssh telnet web snmp tftp Configures one or more authorized IP addresses access manager operator Configures the privilege level for ip address Applies only to access through telnet SSH SNMPv1 SNMPv2c and SNMPv3 Default manager access method all ssh telnet web snmp tftp Configures access levels by access method and IP...

Page 742: ...s the Manager access To Edit an Existing Manager Access Entry To change the mask or access level for an existing entry use the entry s IP address and enter the new value s Notice that any parameters not included in the command will be set to their default HP Switch config ip authorized managers 10 28 227 101 255 255 255 0 access operator The above command replaces the existing mask and access leve...

Page 743: ...ree click on Security 2 Click on IP Authorization 3 Click on Add Address to add an IP Authorized Manager Enter the appro priate parameter settings for the operation you want 4 To delete an IP authorized Manager select the Authorized Address and click on Delete 5 To change IP Authorization parameters click on Change in the IP Autho rization Details box Enter the information and click on Save Figure...

Page 744: ...the authorized station 2 If you don t need proxy server access on the authorized station disable the proxy server feature in the station s web browser interface Not e IP or MAC authentication can be used without a web proxy server Using a Web Proxy Server to Access the WebAgent C a u t i o n This is NOT recommended Using a web proxy server between the stations and the switch poses a security risk ...

Page 745: ...P mask to the IP address you specify to determine a range of authorized IP addresses for management access As described above that range can be as small as one IP address if 255 is set for all octets in the mask or can include multiple IP addresses if one or more octets in the mask are set to less than 255 If a bit in an octet of the mask is on set to 1 then the corresponding bit in the IP address...

Page 746: ...esponding IP address is allowed However the zero 0 in the 4th octet of the mask allows any value between 0 and 255inthatoctetofthecorrespondingIPaddress Thismaskallowsswitch access to any device having an IP address of 10 28 227 xxx where xxx is any value from 0 to 255 Authorized Manager IP 10 28 227 125 IP Mask 255 255 255 249 In this example figure 15 8 below the IP mask allows a group of up to ...

Page 747: ... authorized to access the switch The first three octets of the station s IP address must match the Authorized IP Address Bit 0 and Bits 3 through 6 of the 4th octet in the station s address must be on value 1 Bit 7 of the 4th octet in the station s address must be off value 0 Bits 1 and 2 can be either on or off This means that stations with the IP address 13 28 227 X where X is 121 123 125 or 127...

Page 748: ...ts Web Proxy Servers If you use the WebAgent to access the switch from an authorized IP manager station it is recommended that you avoid the use of a web proxy server in the path between the station and the switch This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list This reduces security by opening switch access...

Page 749: ...entralize the mechanisms used to configure and maintain security information for all routing protocols The Key Management System KMS can carry this burden KMS is designed to configure and maintain key chains A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys KMS provides specific instances of routing protocols with one or more Send or Accept keys t...

Page 750: ...t System KMS Enabled Protocol A protocol that uses KMS to store authentication key information Configuring Key Chain Management The Key Management System KMS has three configuration steps 1 Create a key chain entry 2 Assign a time independent key or set of time dependent keys to the Key Chain entry The choice of key type is based on the level of security required for the protocol to which the key ...

Page 751: ...or example to generate a new key chain entry Figure 16 1 Adding a New Key Chain Entry After you add an entry you can assign key s to it for use by a KMS enabled protocol Syntax no key chain chain_name Generate or delete a key chain entry Using the optional no form of the command deletes the key chain The chain_name parameter can include up to 32 characters show key chain Displays the current key c...

Page 752: ...r from 0 255 key string key_str This option lets you specify the key value for the protocol using the key The key_str can be any string of up to 14 characters in length accept lifetime infinite send lifetime infinite accept lifetimeinfinite Allows packets with this key to be accepted at any time from boot up until the key is removed send lifetime infinite Allows the switch to send this key as auth...

Page 753: ...to 14 characters in length encrypted key key_str Set key string using a base64 encoded aes 256 encrypted string accept lifetime mm dd yy yy hh mm ss now Specifies the start date and time of the valid period in which the switch can use this key to authenticate inbound packets duration mm dd yy yy hh mm ss seconds Specifies the time period during which the switch can use this key to authenticate inb...

Page 754: ...tch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches To list the result of the commands in figure 16 4 HP Switch config key chain Networking2 key 1 accept 1ifetime now 06 17 11 8 00 00 HP Switch config key chain Networking2 key 2 accept lifetime 06 18 11 8 00 00 duration 87000 send lifetime 06 18 11 8 00 00...

Page 755: ... expired The total number of keys is 5 HP Switch config show key chain Networking2 Chain Networking2 Key Accept Start GMT Accept Stop GMT Send Start GMT Send Stop GMT 1 01 03 90 13 59 20 06 17 11 08 00 00 01 03 90 13 59 20 06 17 11 08 00 00 2 06 18 11 08 00 00 06 19 11 08 10 00 06 18 11 08 00 00 06 19 11 08 00 00 3 06 19 11 08 00 00 06 20 11 08 10 00 06 19 11 08 00 00 06 20 11 08 00 00 4 06 20 11 ...

Page 756: ...16 8 Key Management System Configuring Key Chain Management ...

Page 757: ...36 delay Unauth Client VLAN 13 23 DHCP server 13 41 display all 802 1X Web and MAC authentication configuration 4 13 displaying 802 1X port configuration 13 57 13 58 13 59 13 60 13 61 EAP 13 1 EAPOL 13 6 13 59 eap radius 13 24 enabling controlled directions 13 27 on ports 13 18 on switch 13 26 event log messages 13 78 features 13 1 force authorized 13 21 13 65 force unauthorized 13 21 13 65 genera...

Page 758: ... security credentials saved to configuration file 2 18 2 28 server timeout 13 22 show commands 13 55 show commands supplicant 13 68 statistics 13 55 supplicant client not using 13 37 configuring switch port 13 52 enabling switch port 13 52 identity option 13 52 secret 13 52 switch port operating as 13 50 supplicant state 13 68 supplicant statistics note 13 68 supplicant configuring 13 50 supplican...

Page 759: ...it 10 51 CIDR mask 3 25 display data types 10 106 example named extended 10 73 extended configure 10 74 numbered configure 10 75 IPX 10 31 mask CIDR 3 25 removing from a VLAN 10 81 wildcard defined 7 14 ACL connection rate See connection rate filtering ACL IPv4 802 1X client limit 10 18 802 1X port based not recommended 10 18 802 1X effect on 10 18 ACE after match not used 10 32 10 45 defined 10 8...

Page 760: ...10 59 create 10 6 10 59 defined 10 9 10 41 delete 10 7 10 60 named configure 10 61 numeric I D range 10 41 protocol options 10 41 remark 10 7 10 60 resequence 10 6 10 60 sequence number 10 6 10 59 structure 10 43 use 10 13 features common to all 10 22 filter rule when RACL VACL and or port ACL all apply 10 20 filtering methods 10 13 filtering process 10 27 10 32 hit count See statistics ACE host o...

Page 761: ... port ACL operation defined 10 14 port added to trunk 10 34 port removed from trunk 10 34 port based 802 1X 10 18 port based security 10 18 ports affected 10 34 precedence 10 23 10 78 precedence numbers and names 10 65 purpose 10 2 RACL configure 10 7 defined 10 3 inbound traffic 10 10 operation defined 10 13 RACL applications 10 14 screening switched traffic 10 20 RACL outbound traffic not filter...

Page 762: ...mes 10 66 10 78 setting 10 23 traffic not filtered 10 31 to from the switch 10 35 types filtered 10 2 traffic types filtered 10 29 troubleshooting 10 117 troubleshooting client authentication 7 21 trunk 10 34 adding port 10 34 type 10 46 10 51 10 89 10 97 10 100 user based 802 1X 10 18 user based security 10 18 VACL configure 10 7 defined 10 3 operation defined 10 14 VACL applications 10 16 VLAN A...

Page 763: ...ort security 14 3 authorized IP managers access levels 15 3 access method 15 7 building IP masks 15 11 configuring 15 7 configuring in browser interface 15 9 configuring in console 15 5 definitions of single and multiple 15 4 effect of duplicate IP addresses 15 14 IP mask for multiple stations 15 11 IP mask for single station 15 11 IP mask operation 15 4 manager operator 15 7 operating notes 15 14...

Page 764: ...tify and reduce 3 4 notify only 3 4 notify only 3 11 operating rules 3 5 operation 3 3 options 3 3 penalty period throttling 3 11 port setting change effect 3 6 reboot effect 3 6 recommended application 3 1 re enable blocked host 3 6 routed traffic 3 9 sensitivity level 3 4 3 7 sensitivity level changing 3 17 sensitivity level command 3 10 show command 3 14 3 16 signature recognition 3 1 3 2 SNMP ...

Page 765: ...ver retransmit 3 seconds 6 20 radius server timeout 3 seconds 6 20 server key null 6 9 RADIUS authentication disabled 1 4 RSA keysize 2048 bits 8 12 secure management vlan disabled 1 4 security access security and authentication 1 2 network security 1 6 SNMP access 1 13 SNMP access to the security MIB open 6 32 SNMP public unrestricted 1 4 source port filters none 12 2 spanning tree bpdu filtering...

Page 766: ...rifying configuration 11 21 Dynamic Configuration Arbiter DCA applying settings to non authenticated clients 1 16 hierarchy of precedence in authentication sessions 1 17 overview 1 15 dynamic IP lockdown debugging 11 31 DHCP binding database 11 25 DHCP leases 11 25 DHCP snooping 11 24 enabling 11 26 filtering IP addresses 11 25 overview 11 23 platform differences 11 32 spoofing protection 11 24 ve...

Page 767: ...E Network Immunity Manager NIM 1 16 HP Networking switch documentation xxv HP PCM 7 2 IDM as a plug in to 1 20 port security alerts 14 2 HP PMC Identity Driven Manager 7 2 HP PMC Identity Driven Manager IDM 1 20 HP PMC IDM RADIUS based sessions 7 43 HTTP registration MAC authentication 4 61 I IANA 10 68 IANA protocol numbers 10 64 10 70 IDM 7 2 overview 1 20 RADIUS based security classifiers 1 20 ...

Page 768: ...d 13 12 13 18 13 78 listening 8 18 local privilege levels 6 75 login attempts monitoring 11 34 M MAC address count monitoring 11 34 inconsistent value 14 20 moves monitoring 11 34 MAC authentication address limit 4 52 authenticator operation 4 5 blocked traffic 4 1 CHAP defined 4 9 usage 4 1 client status 4 71 concurrent with Web 4 3 configuration commands 4 49 configuring on the switch 4 48 switc...

Page 769: ...assword 2 8 2 9 802 1X port access 2 13 2 28 browser console access 2 3 case sensitive 2 4 caution 2 3 configuring manager and operator 2 16 delete 2 5 deleting with the Clear button 2 5 disables usb autorun 2 3 encrypted 2 9 if you lose the password 2 5 included with security credentials 2 13 incorrect 2 3 length 2 4 length limit 2 7 locally configured hierarchy of precedence in authentication se...

Page 770: ...entication limits 6 80 authentication options 6 1 authentication authorized 6 11 authentication local 6 36 authentication web 6 1 authentication webagent 6 10 6 14 authorization 6 38 bypass RADIUS server 6 13 cached reauthentication 6 28 cached reauth period command 6 29 change of authorization 6 49 change of authorization attribute 6 49 client CoS 7 8 client Rate Limiting 7 8 commands authorizati...

Page 771: ...US RADIUS assigned See also RADIUS assigned ACL RADIUS assigned ACLs 7 11 7 15 10 3 802 1X port based access 7 22 802 1X user based access 7 22 ACE defined 7 11 application type 7 13 contrasting dynamic and static 7 17 DA defined 7 12 defined 7 11 definitions 7 11 deny any implicit switched packets 7 21 deny in any ACL on an interface 7 22 deny defined 7 12 dynamic port ACL 7 13 dynamic port ACL e...

Page 772: ... to startup configuration 2 26 saving to startup configuration with write memory 2 26 SNMPv3 2 17 SSH 2 21 SSH private keys not saved 2 28 TACACS 2 18 viewing in running configuration 2 12 viewing in startup configuration 2 26 when SNMPv3 credentials in downloaded file are not supported 2 28 security violations detecting 11 34 notices of 14 35 security ACL IPv4 See ACL security use security passwo...

Page 773: ... 8 10 keysize 8 12 known host file 8 13 8 15 mac selection 8 18 man in the middle spoofing 8 16 messages operating 8 39 OpenSSH 8 2 operating rules 8 7 password security 8 20 password only authentication 8 20 passwords assigning 8 8 PEM 8 3 prerequisites 8 4 private keys not saved to configuration file 2 28 public key 8 4 8 13 public key displaying 8 14 public key saving to configuration file 2 13...

Page 774: ...ion encryption key 5 22 configuration server access 5 17 configuration timeout 5 23 configuration viewing 5 9 encrypted key 5 18 encryption key 5 5 5 17 5 18 5 22 encryption key exclusion 5 30 encryption key general operation 5 26 encryption key global 5 23 encryption key saving to configuration file 2 13 general operation 5 1 IP address server 5 17 local manager password requirement 5 30 messages...

Page 775: ...in authentication session 6 48 unauthenticated access 13 29 untagged VLAN in authentication session 6 47 6 48 VLANs GVRP created 13 76 GVRP learned 13 76 See also VLAN VSA See vendor specific attribute with RADIUS 6 80 W Wake on LAN on 802 1X aware ports 13 28 on web authenticated ports 4 21 warranty iii Web authentication authenticator operation 4 5 blocked traffic 4 1 CHAP defined 4 9 usage 4 1 ...

Page 776: ...20 Index web server proxy 14 42 webagent access 6 6 wildcard See ACL wildcard See ACL ...

Page 777: ......

Page 778: ...subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP will not be liable for technical or editorial errors or omissions contained herein September 201 1 Manual Part Number 5998 2703 ...

Reviews:

No comments