HP J8697A Access Security Manual Download | Manualshive

Page: 166 / 390

background image

RADIUS Authentication and Accounting

Configuring RADIUS Accounting

■

Exec accounting:

Provides records holding the information listed

below about login sessions (console, Telnet, and SSH) on the switch:

• Acct-Session-Id

• Acct-Delay-Time

• NAS-IP-Address

• Acct-Status-Type

• Acct-Session-Time

• NAS-Identifier

• Acct-Terminate-Cause

• Username

• Calling-Station-Id

• Acct-Authentic

• Service-Type

■

System accounting:

Provides records containing the information

listed below when system events occur on the switch, including
system reset, system boot, and enabling or disabling of system
accounting.

• Acct-Session-Id

• Acct-Delay-Time

• NAS-Identifier

• Acct-Status-Type

• Username

• Calling-Station-Id

• Acct-Terminate-Cause

• Service-Type

• Acct-Authentic

• NAS-IP-Address

The switch forwards the accounting information it collects to the designated
RADIUS server, where the information is formatted, stored, and managed by
the server. For more information on this aspect of RADIUS accounting, refer
to the documentation provided with your RADIUS server.

Operating Rules for RADIUS Accounting

■

You can configure up to three types of accounting to run simulta
neously: exec, system, and network.

■

RADIUS servers used for accounting are also used for authentication.

■

The switch must be configured to access at least one RADIUS server.

■

RADIUS servers are accessed in the order in which their IP addresses
were configured in the switch. Use

show radius

to view the order.

As long as the first server is accessible and responding to authentica
tion requests from the switch, a second or third server will not be
accessed. (For more on this topic, refer to “Changing RADIUS-Server
Access Order” on page 6-33.)

■

If access to a RADIUS server fails during a session, but after the client
has been authenticated, the switch continues to assume the server is
available to receive accounting data. Thus, if server access fails during
a session, it will not receive accounting data transmitted from the
switch.

6-22

«
...
164
165
166
167
168
...
»

Summary of Contents for J8697A

Page 1: ...6200yl Access Security Guide 5400zl 3500yl ProCurve Switches K 11 XX www procurve com ...

Page 2: ......

Page 3: ...ProCurve Series 5400zl Switches Series 3500yl Switches 6200yl Switch Access Security Guide January 2006 K 11 XX ...

Page 4: ...entation and or other materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLU DING BUT NOT LIMITED TO THE IMPLIED WARRAN TIES OF MERCHANTABILITY AND FITNESS FOR A PAR TICULAR PURPOSE A...

Page 5: ...t Identity Examples 1 4 Configuration and Operation Examples 1 4 Keys 1 4 Sources for More Information 1 5 Getting Documentation From the Web 1 7 Online Help 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 Physical Installation 1 9 Premium Edge Switch Features 1 9 Overview of Access Security Features 1 10 General Switch Traffic Security Guidel...

Page 6: ...curity 2 12 Disabling the Clear Password Function of the Clear Button on the Switch s Front Panel 2 14 Re Enabling the Clear Button on the Switch s Front Panel and Setting or Changing the Reset On Clear Operation 2 16 Changing the Operation of the Reset Clear Combination 2 17 Password Recovery 2 18 Disabling or Re Enabling the Password Recovery Process 2 18 Password Recovery Process 2 20 3 Virus T...

Page 7: ... the Currently Blocked Hosts 3 18 Configuring and Applying Connection Rate ACLs 3 20 Connection Rate ACL Operation 3 21 Configuring a Connection Rate ACL Using Source IP Address Criteria 3 22 Configuring a Connection Rate ACL Using UDP TCP Criteria 3 23 Applying Connection Rate ACLs 3 26 Using CIDR Notation To Enter the ACE Mask 3 26 Example of Using an ACL in a Connection Rate Configuration 3 27 ...

Page 8: ...cation 4 26 Show Status and Configuration of MAC Based Authentication 4 27 Client Status 4 29 5 TACACS Authentication Contents 5 1 Overview 5 2 Terminology Used in TACACS Applications 5 3 General System Requirements 5 5 General Authentication Setup Procedure 5 5 Configuring TACACS on the Switch 5 8 Before You Begin 5 8 CLI Commands Described in this Section 5 9 Viewing the Switch s Current Authent...

Page 9: ... the Steps for Configuring RADIUS Authentication 6 9 1 Configure Authentication for the Access Methods You Want RADIUS To Protect 6 10 2 Enable the Optional Access Privilege Option 6 12 3 Configure the Switch To Access a RADIUS Server 6 13 4 Configure the Switch s Global RADIUS Parameters 6 15 Local Authentication Process 6 19 Controlling Web Browser Interface Access 6 20 Configuring RADIUS Accoun...

Page 10: ... Switch and Client Authentication 7 6 General Operating Rules and Notes 7 8 Configuring the Switch for SSH Operation 7 9 1 Assigning a Local Login Operator and Enable Manager Password 7 9 2 Generating the Switch s Public and Private Key Pair 7 10 3 Providing the Switch s Public Key to Clients 7 12 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 7 15 5 Configuring the Swit...

Page 11: ...o Generate or Erase the Switch s Server Certificate with the CLI 8 10 Comments on certificate fields 8 11 Generate a Self Signed Host Certificate with the Web browser interface 8 13 Generate a CA Signed server host certificate with the Web browser interface 8 15 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior 8 17 Using the CLI interface to enable SSL 8 19 Using the web ...

Page 12: ... Source Port Traffic Filter 9 18 Example of Creating a Source Port Filter 9 19 Configuring a Filter on a Port Trunk 9 19 Editing a Source Port Filter 9 20 Configuring a Multicast or Protocol Traffic Filter 9 21 Filter Indexing 9 22 Displaying Traffic Security Filters 9 23 10 Configuring Port Based and Client Based Access Control 802 1X Contents 10 1 Overview 10 3 Why Use Port Based or Client Based...

Page 13: ...n 10 19 Example Configuring Port Based 802 1X Authentication 10 19 2 Reconfigure Settings for Port Access 10 19 3 Configure the 802 1X Authentication Method 10 21 4 Enter the RADIUS Host IP Address es 10 22 5 Enable 802 1X Authentication on the Switch 10 23 6 Optionally Resetting Authenticator Operation 10 23 802 1X Open VLAN Mode 10 24 Introduction 10 24 VLAN Membership Priorities 10 25 Use Model...

Page 14: ...thorized Traffic 11 5 Trunk Group Exclusion 11 6 Planning Port Security 11 7 Port Security Command Options and Operation 11 8 Port Security Display Options 11 8 Configuring Port Security 11 12 Retention of Static Addresses 11 18 MAC Lockdown 11 23 Differences Between MAC Lockdown and Port Security 11 25 MAC Lockdown Operating Notes 11 26 Deploying MAC Lockdown 11 27 MAC Lockout 11 31 Port Security...

Page 15: ...Authorized Management Stations 12 4 Overview of IP Mask Operation 12 4 Menu Viewing and Configuring IP Authorized Managers 12 5 CLI Viewing and Configuring Authorized IP Managers 12 6 Listing the Switch s Current Authorized IP Manager s 12 6 Configuring IP Authorized Managers for the Switch 12 7 Web Configuring IP Authorized Managers 12 9 Building IP Masks 12 9 Configuring One Station Per Authoriz...

Page 16: ...Configuring Key Chain Management 13 3 Creating and Deleting Key Chain Entries 13 3 Assigning a Time Independent Key to a Chain 13 4 Assigning Time Dependent Keys to a Chain 13 5 Index xiv ...

Page 17: ...plains how to configure traffic manage ment features such as VLANs MSTP QoS and Meshing Multicast and Routing Guide included as a PDF file on the Documen tation CD This guide explains how to configure IGMP PIM IP routing and VRRP features Access Security Guide included as a PDF file on the Documentation CD This guide explains how to configure access security features and user authentication on the...

Page 18: ...and Routing Access Security Guide 802 1Q VLAN Tagging X 802 1X Port Based Priority X 802 1X Multiple Authenticated Clients per port X ACLs X AAA Authentication X Authorized IP Managers X Authorized Manager List web telnet TFTP X Auto MDIX Configuration X BOOTP X Config File X Console Access X Copy Command X CoS Class of Service X Debug X DHCP Configuration X DHCP Option 82 X DHCP Bootp Operation X...

Page 19: ...t Names X Guaranteed Minimum Bandwidth GMB X GVRP X Identity Driven Management IDM X IGMP Interface Access Telnet Console Serial Web X X IP Addressing X IP Routing X Jumbos Support X LACP X Link X LLDP X LLDP Med X MAC Address Management X MAC Lockdown X MAC Lockout X MAC based Authentication X MAC authentication RADIUS support X Management VLAN X Meshing X Monitoring and Analysis X Multicast Filt...

Page 20: ...ssword Clear Protection X PCM X PIM DM PIM SM X Ping X Port Configuration X Port Monitoring Port Security X X Port Status X Port Trunking LACP X Port Based Access Control Port Based Priority 802 1Q X X Power over Ethernet PoE X Protocol Filters X Protocol VLANS X Quality of Service QoS X RADIUS Authentication and Accounting X RADIUS Based Configuration X Rate limiting X RIP X RMON 1 2 3 9 X Routin...

Page 21: ...SSHv2 Secure Shell Encryption SSL Secure Socket Layer X X Stack Management 3500yl and 6200yl switches only X Syslog X System Information X TACACS Authentication X Telnet Access X TFTP X Time Protocols TimeP SNTP X Traffic Security Filters X Troubleshooting X UDP Forwarder X Virus Throttling connection rate filtering VLANs X X VLAN Mirroring 1 static VLAN X Voice VLAN X VRRP Web Authentication RADI...

Page 22: ...Product Documentation Feature Index xx ...

Page 23: ...eration Examples 1 4 Keys 1 4 Sources for More Information 1 5 Getting Documentation From the Web 1 7 Online Help 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 Physical Installation 1 9 Premium Edge Switch Features 1 9 Overview of Access Security Features 1 10 General Switch Traffic Security Guideline 1 11 Applications for Access Control Lis...

Page 24: ...hoot switch operation For an overview of other product documentation for the above switches refer to Product Documentation on page xv You can download documentation from the ProCurve Networking web site http www procurve com Conventions This guide uses the following conventions for command syntax and displayed information Feature Descriptions by Model In cases where a software feature is not avail...

Page 25: ... general text For example Use the copy tftp command to download the key from a TFTP server Italics indicate variables for which you must supply a value when execut ingthecommand Forexample inthiscommandsyntax youmustprovide one or more port numbers Syntax aaa port access authenticator port list Command Prompts In the default configuration your switch displays a CLI prompt similar to the following ...

Page 26: ...ile Port Identity Examples This guide describes software applicable to both chassis based and stackable ProCurve switches Where port identities are needed in an example this guide uses the chassis based port identity system such as A1 B3 B5 C7 etc However unless otherwise noted such examples apply equally to the stack able switches which typically use only numbers such as 1 3 5 15 etc for port ide...

Page 27: ...witches The 6200yl switch is available only as a Premium Edge switch new features and how to configure and use them software management including downloading software to the switch software fixes addressed in current and previous releases To view and download a copy of the latest software release notes for your switch refer to Getting Documentation From the Web on page 1 7 Product Notes and Softwa...

Page 28: ...uide for information on topics such as VLANs Static port based and protocol VLANs and dynamic GVRP VLANs spanning Tree 802 1D STP 802 1w RSTP and 802 1s MSTP meshing Quality of Service QoS Access Control Lists ACLs Multicast and Routing Guide Usethisguideforinformationtopicssuch as IGMP PIM SM and DM IP routing VRRP Access Security Guide Use this guide for information on topics such as Local usern...

Page 29: ... 3 Click on Product manuals 4 Click on the product for which you want to view or download a manual Online Help If you need information on specific parameters in the menu interface refer to the online help provided in the interface For example Online Help for Menu If you need information on a specific command in the CLI type the command name followed by help For example 1 7 ...

Page 30: ...on ProCurve switch technology visit the ProCurve Networking web site at http www procurve com Need Only a Quick Start IP Addressing If you just want to give the switch an IP address so that it can communicate on your network or if you are not using VLANs ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing To do so do one of the following Enter setup at the C...

Page 31: ...ide for your switch refer to Getting Documentation From the Web on page 1 7 Premium Edge Switch Features The ProCurve 3500yl and 5400zl switches ship with the ProCurve Intelligent Edge software feature set Additional Premium Edge switch software features for these switches can be acquired by purchasing a Premium Edge license and installing it on the Intelligent Edge version of these switches Part ...

Page 32: ...ion and Accounting page 6 1 Uses RADIUS authentication on a central server to allow or deny access to the switch RADIUS also provides accounting services for sending data about user activity and system events to a RADIUS server Secure Shell SSH Authentication page 7 1 Provides encrypted paths for remote access to switch management functions Secure Socket Layer SSL page 8 1 Provides remote web acce...

Page 33: ...he mechanisms used to configure and maintain security information for all routing protocols ProCurve recommends that you use local passwords together with the switch s other security features to provide a more comprehensive security fabric than if you use only local passwords General Switch Traffic Security Guideline Where the switch is running multiple security options it implements network traff...

Page 34: ... in a path by filtering packets where they enter or leave the switch on specific VLAN interfaces ACLs can filter traffic to or from a host a group of hosts or entire subnets Note on ACL ACLs can enhance network security by blocking selected IP traffic and can Security Use serve as one aspect of maintaining network security However because ACLs do not provide user or device authentication or protec...

Page 35: ...s 2 10 Clear Button 2 10 Reset Button 2 11 Restoring the Factory Default Configuration 2 11 Configuring Front Panel Security 2 12 Disabling the Clear Password Function of the Clear Button on the Switch s Front Panel 2 14 Re Enabling the Clear Button on the Switch s Front Panel and Setting or Changing the Reset On Clear Operation 2 16 Changing the Operation of the Reset Clear Combination 2 17 Passw...

Page 36: ... clear enabled page 1 13 reset on clear disabled page 1 14 factory reset enabled page 1 15 password recovery enabled page 1 15 Console access includes both the menu interface and the CLI There are two levels of console access Manager and Operator For security you can set a password pair username and password on each of these levels Not e Usernames are optional Also in the menu interface you can co...

Page 37: ...swordpair andanOperatorpasswordpair ifapplicable for your system 2 Exit from the current console session A Manager password pair will now be needed for full access to the console If you do steps 1 and 2 above then the next time a console session is started for either the menu interface or the CLI a prompt appears for a password Assuming you have protected both the Manager and Operator levels the l...

Page 38: ...nager and Operator levels and neither is entered correctly in response to the switch s password prompt then the switch does not allow management access for that session Passwords are case sensitive C a u t i o n If the switch has neither a Manager nor an Operator password anyone having access to the switch through either Telnet the serial port or the web browser interface can access the switch wit...

Page 39: ... Select Set Manager Password or Set Operator Password You will then be prompted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you will ...

Page 40: ...Level access 1 Enter the console at the Manager level 2 Go to the Set Passwords screen as described above 3 Select Delete Password Protection You will then see the following prompt Continue Deletion of password protection No 4 Press the Space bar to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot start a con s...

Page 41: ... to eliminate password security This command prompts you to verify that you want to remove one or both passwords then clears the indicated password s This command also clears the username associated with a password you are removing For example to remove the Operator password and username if assigned from the switch you would do the following Press Y foryes andpress Enter Figure 2 3 Removing a Pass...

Page 42: ...n Apply Changes Front Panel Security The front panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password Clear button or restoring the switch to its factory default configuration Reset Clear buttons together The ability to disable Password Recovery is also provided for situati...

Page 43: ...he switch that data would still remain secure If you do not invoke front panel security on the switch user defined pass words can be deleted by pushing the Clear button on the front panel This function exists so that if customers forget the defined passwords they can still get back into the switch and reset the passwords This does however leave the switch vulnerable when it is located in an area w...

Page 44: ...et button and the Clear button Reset Clear Clear Button Reset Button Figure 2 4 Front Panel Button Locations on a ProCurve Series 5400zl Switch Clear Button Pressing the Clear button alone for one second resets the password s con figured on the switch Reset Clea Figure 2 5 Press the Clear Button for One Second To Reset the Password s 2 10 ...

Page 45: ...Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button Reset Clea 2 While holding the Reset button press and hold the Clear button Reset Clea 2 11 ...

Page 46: ... the factory default settings Configuring Front Panel Security Using the front panel security command from the global configuration context in the CLI you can Disable or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does...

Page 47: ...es the local usernames and passwords configured on the switch and thus removes local password protection from the switch Disabled means that pressing the Clear button does not remove the local usernames and passwords configured on the switch Default Enabled Reset on clear Shows the status of the reset on clear option Enabled or Disabled When reset on clear is disabled and Clear Password is enabled...

Page 48: ...e default front panel security settings Figure 2 7 The Default Front Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch s Front Panel Syntax no front panel security password clear In the factory default configuration pressing the Clear button on the switch s front panel erases any local usernames and passwords configured on the switch This command disab...

Page 49: ...n the switch s front panel In this case the Show command does not include the reset on clear status because it is inoperable while theClearPasswordfunctionalityisdisabled and mustbereconfiguredwheneverClearPassword is re enabled Figure 2 8 Example of Disabling the Clear Button and Displaying the New Configuration 2 15 ...

Page 50: ...disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password clear Note If you disable password clear and also disable the password recovery option you can still recover from a lost password by using the Reset Cle...

Page 51: ... combination to replace the switch s current configu ration with the factory default configuration and render the switch acces sible without the need to input a username or password You can use the factory reset command to prevent the Reset Clear combination from being used for this purpose Syntax no front panel security factory reset Disables or re enables the following functions associated with ...

Page 52: ...tomer Care Center to acquire a one time use password Disabling or Re Enabling the Password Recovery Process Disabling the password recovery process means that the only method for recovering from a lost manager username if configured and password is to reset the switch to its factory default configuration which removes any non default configuration settings C a u t i o n Disabling password recovery...

Page 53: ...iguration Note To disable password recovery Youmusthavephysicalaccesstothefrontpaneloftheswitch The factory reset parameter must be enabled the default Default Enabled Steps for Disabling Password Recovery 1 Set the CLI to the global interface context 2 Use show front panel security to determine whether the factory reset parameter is enabled If it is disabled use the front panel security factory r...

Page 54: ... the network to prevent unauthorized access and other problems while it is being reconfig ured To use the password recovery option to recover a lost password 1 Note the switch s base MAC address It is shown on the label located on the upper right front corner of the switch 2 Contact your ProCurve Customer Care Center for further assistance Using the switch s MAC address the ProCurve Customer Care ...

Page 55: ...Configuring Username and Password Security Front Panel Security 2 21 ...

Page 56: ...Configuring Username and Password Security Front Panel Security 2 22 ...

Page 57: ...on Rate Filtering and Configuring Sensitivity 3 12 Configuring the Per Port Filtering Mode 3 13 Example of a Basic Connection Rate Filtering Configuration 3 14 Viewing and Managing Connection Rate Status 3 16 Viewing the Connection Rate Configuration 3 16 Listing and Unblocking the Currently Blocked Hosts 3 18 Configuring and Applying Connection Rate ACLs 3 20 Connection Rate ACL Operation 3 21 Co...

Page 58: ...Virus Throttling Contents Operating Notes 3 30 Connection Rate Log and Trap Messages 3 31 3 2 ...

Page 59: ...us throttling technology is recommended for use on the edge of a network It is primarily concerned with the class of worm like malicious code that tries to replicate itself by using vulnerabilities on other hosts that is weaknesses in network applications behind unsecured ports Agents of this variety operate by choosing a set of hosts to attack based on an address range sequential or random that i...

Page 60: ...ngs when worm like behavior is detected Gives IT staff more time to react before the threat escalates to a crisis Note When configured on a port connection rate filtering is triggered by routed IPv4 traffic received inbound with a relatively high rate of IP connection attempts Connection Rate filtering is not triggered by such traffic when both the SA and DA are in the same VLAN that is switched t...

Page 61: ...ds in one of the following ways depending on how connection rate filtering is configured Notify only of potential attack While the apparent attack continues the switch generates an Event Log notice identifying the offending host SA and if a trap receiver is configured on the switch a similar SNMP trap notice Notify and reduce spreading In this case the switch temporarily blocks inbound routed traf...

Page 62: ...ering only to ports posing a significant risk of attack For ports that are reasonably secure from attack then there may be little benefit in configuring them with connection rate filtering Connection Rate ACLs The basic connection rate filtering policy is con figured per port as notify only throttle and block A connection rate ACL cre ates exceptions to these per port policies by creating special ...

Page 63: ... Address In an IP packet this is the source IP address carried in the header and identifies the packet s originator See also DA Switched Traffic Traffic moving from an SA in a given VLAN to a DA in the same VLAN Sometimes termed bridged traffic Throttle For connection rate filtering applications this means to tempo rarily block traffic from a host exhibiting a relatively high incidence of attempts...

Page 64: ...spect host is subject to the configured connection rate policy notify only throttle or block Where the switch is throttling or blocking inbound routed traffic from a host any outbound routed or switched traffic for that host is still permitted A host blocked by connection rate filtering remains blocked until explicitly unblocked by one of the following The vlan vid connection rate filter unblock c...

Page 65: ... ifconfigured theavailableSNMPtrapreceivers to identify hosts exhibiting high connection rates 6 Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior 7 Hostsdemonstratinghigh butlegitimateconnectionrates suchasheavily used servers may trigger a connection rate filter Configure connection rate ACLs t...

Page 66: ...require updates or patches to eliminate malicious code 1 Configure connection rate filtering to throttle on all ports 2 Set global sensitivity to medium 3 Use clear arp to clear the arp cache 4 If SNMP trap receivers are available in your network use the snmp server command to configure the switch to send SNMP traps 5 Monitor the Event Log or the available SNMP trap receivers if configured on the ...

Page 67: ...ring throttles or blocks traffic from a source all routed traffic from that source is throttled or blocked Traffic switched within the VLAN is not affected Using this feature requires that IP routing and multiple VLANs are enabled Global and Per Port Configuration Use the commands in this section to enable connection rate filtering on the switch and to apply the filtering on a per port basis You c...

Page 68: ...nection rate sensitivity to the lowest possible sensitivity which allows a mean of 54 routed destinations in less than 0 1 seconds and a corresponding penalty time for Throttle mode if configured of less than 30 seconds medium Sets the connection rate sensitivity to allow a mean of 37 routed destinations in less than 1 second and a corre sponding penalty time for Throttle mode if configured betwee...

Page 69: ...SNMP trap receivers configured on the switch throttle If the switch detects a relatively high number of routed IP connection attempts from a specific host this option gener ates the notify only messaging and also blocks all routed traffic inbound from the offending host for a penalty period After the penalty period the switch allows routed traffic from the offend ing host to resume and re examines...

Page 70: ...Figure 3 2 Sample Network Basic Configuration Suppose that in the sample network the administra tor wanted to enable connection rate filtering and configure the following response to high connection rate traffic on the switch Ports B1 B3 Throttle traffic from the transmitting host s Port B4 Respond with Notify Only to identify the transmitting host s Ports B9 D1 and D2 Block traffic from the trans...

Page 71: ...Indicates that connectivity rate filtering is enabled at the low sensitivity setting Configures the desired responses to inbound high connectivity rate traffic on the various ports Showstheper portconfiguration for the currently enabled connectivity rate filtering Figure 3 3 Example of a Basic Connection Rate Configuration 3 15 ...

Page 72: ...nnection rate configuration If you need to view connection rate ACLs and or any other switch configura tion details use show config or show running page 3 17 Syntax show connection rate filter Displays the current global connection rate status enabled disabled and sensitivity setting and the cur rent per port configuration This command does not display the current optional connection rate ACL con ...

Page 73: ...e For example Example of a connection rate filtering ACL appearing in a VLAN configuration Example of a connection rate filtering ACL appearing in the configuration Example of per port connection rate filtering policies appearing in the configuration Entry showing that connection rate filtering is enabled and set to medium sensitivity Figure 3 5 Example of Connection Rate Filtering Configuration i...

Page 74: ...ting the Hosts Currently in Any Connection Rate State Figure 3 7 Example of Listing the Hosts Currently Blocked by Connection Rate Filtering If a host becomes blocked by triggering connection rate filtering on a port configured to block high connection rates the host remains blocked on all ports on the switch even if you change the per port filtering configuration or disable connection rate filter...

Page 75: ...ACL to create a filtering exception for the host Syntax vlan vid connection rate filter unblock all host ip addr all In the specified VLAN unblocks all hosts currently blocked due to action by connection rate filtering on ports where block mode has been configured host ip addr In the specified VLAN unblocks the single host currently blocked due to action by connection rate filtering on ports where...

Page 76: ...m a particular source Use of connection rate ACLs provides the option to apply exceptions to the configured connection rate filtering policy This enables you to allow legiti mate traffic from a trusted source and apply connection rate filtering only to inboundtraffic from untrustedsources Forexample wherea connection rate policy has been configured you can apply a connection rate ACL that causes t...

Page 77: ...ic from trusted sources without filtering the traffic for the configured connection rate policy You can configure anACL to assign policy filtering filter for traffic from some sources and no policy filtering ignore for traffic from other sources How ever the implicit filter invoked as the last entry in any connection rate ACL ensures that any traffic not specifically excluded from policy filtering...

Page 78: ...tion assigns policy filtering to traffic with an SA matching the source address in the ACE The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE ip any host ip addr ip addr mask length Specifies the SA criteria for traffic addressed by the ACE any Applies the ACEs action filter or ignore to traffic having any SA host ip addr Applie...

Page 79: ...k length udp tcp options Used in the ACE context above to specify the action of the connection rate ACE filter or ignore and the UDP TCP criteria and SA of the IP traffic that the ACE affects filter ignore filter This option assigns a policy of filtering drop ping IP traffic having an SA that matches the source address criteria in the ACE ignore This option specifies a policy of allowing IP traffi...

Page 80: ...data operator tcp port udp data operator udp port operator eq gt lt neq range eq port nbr or name Equal To to have a match with the ACE entry the TCP or UDP source port number in a packet must be equal to the specified port number gt port nbr or name Greater Than to have a match with the ACE entry the TCP or UDP source port number in a packet must be greater than the specified port number lt port ...

Page 81: ... 1812 radius old Remote Authentication Dial In User Service 1645 rip Routing Information Protocol 520 snmp Simple Network Management Protocol 161 snmp trap Simple Network Management Pro tocol 162 tftp Trivial File Transfer Protocol 69 ProCurve config ignore tcp host 15 75 10 11 destination port eq 1812 source port eq 1812 ProCurve config filter udp 15 75 10 0 24 source port neq 162 destination por...

Page 82: ... connection rate ACL to that VLAN the second ACL overwrites the first one A connection rate ACL can be in addition to any standard or extended ACLs already assigned to the VLAN Using CIDR Notation To Enter the ACE Mask You can use CIDR Classless Inter Domain Routing notation to enter ACE masks The switch interprets the bits specified with CIDR notation as the IP address bits in an ACE and the corr...

Page 83: ... 5400zl Switch Server VLAN 15 15 45 300 1 Switch Server Server Switch Switch A B C D E H F G B1 B2 B3 B9 B4 D1 D2 IP Address 15 45 100 7 IP Address 15 45 50 17 Figure 3 10 Sample Network In the basic example on page 3 14 the administrator configured connection rate blocking on port D2 However The administrator has elevated the connection rate sensitivity to high The server at IP address 15 45 50 1...

Page 84: ...erver Include a CIDR notation of 32 for the ACL mask Which means the mask will allow only traffic whose SA exactly matches the specified IP address The ACL will automatically include the implicit filter ACE as the last entry which means that any traffic that is not from the desired server will be subject to filtering by the connection rate policy configured on port D2 2 Assigning the ACL to the VL...

Page 85: ... Connection Rate ACLs The new switch configuration includes the ACL configured in figure 3 11 Shows the assignment of the above connection rate ACL to VLAN 15 Figure 3 12 Example of Switch Configuration Display with a Connection Rate ACL 3 29 ...

Page 86: ...ost at 15 45 127 43 requires connection rate screen ing but all other hosts in the VLAN do not you would configure and apply a connection rate ACL with filter ip host 15 45 127 43 as the first ACE and ignore ip any as the second ACE In this case the traffic from host 15 45 127 43 would be screened but traffic from all other hosts on the VLAN would be permitted without connection rate screening Imp...

Page 87: ... Event Log If SNMP trap receivers are configured on the switch it also sends the messages to the designated receiver s Message Meaning Address not found in list of blocked Appears in the CLI when the vlan vid connection hosts rate filter unblock command has been executed to unblock hosts that are not currently blocked W mm dd yy hh mm ss virusfilt Source IP A warning that results when a port confi...

Page 88: ...Virus Throttling Connection Rate Log and Trap Messages This page is intentionally unused 3 32 ...

Page 89: ...Web MAC Authentication 4 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 4 13 Configuring the Switch To Access a RADIUS Server 4 14 Configuring Web Authentication on the Switch 4 17 Overview 4 17 Configure the Switch for Web Based Authentication 4 18 Configuring MAC Authentication on the Switch 4 22 Overview 4 22 Configure the Switch for MAC Based Authenti...

Page 90: ...to provide backups in case access to the primary server fails It also means the same credentials can be used for authentication regardless of which switch or switch port is the current access point into the LAN Web Authentication Web Auth This method uses a web page login to authenticate users for access to the network When a user connects to the switch and opens a web browser the switch automatic...

Page 91: ... disabled on ports configured for any of these authentication methods Client Options Web Auth and MAC Auth provide a port based solution in which a port can belong to one untagged VLAN at a time However where all clients can operate in the same VLAN the switch allows up to 32 simultaneous clients per port In applications where you want the switch to simultaneously support multiple client sessions ...

Page 92: ...rver to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the Web or MAC Auth configuration for the subject port 3 A static port based untagged VLAN to which th...

Page 93: ... or limited network access as defined by the System Administrator Web based Authentication When a client connects to a Web Auth enabled port communication is redi rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials Figure 4 1 Example of User Login Screen The temporary IP address pool can be specified using ...

Page 94: ... the client session the port belongs to the authorized VLAN auth vid if configured and temporarily drops all other VLAN memberships 3 If neither 1 or 2 above apply but the port is an untagged member of a statically configured port based VLAN then the port remains in this VLAN 4 If neither 1 2 or 3 above apply then the client session does not have access to any statically configured untagged VLANs ...

Page 95: ...pecific guest network resources If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available Should another client success fully authenticate through that port any unauthenticated clients on the unauth vid are dropped from the port MAC based Authentication When a client connects to a MAC Auth enabled port traffic is blocked The switch immediately submits...

Page 96: ...on the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid credentials or a RADIUS server timeout The server timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out The max requests ...

Page 97: ...s or username and password before being allowed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified web page presented to an authorized client following W...

Page 98: ...a higher Access precedent port access management feature is not enabled on the port For Management example be sure that Port Security is disabled on a port before configuring the port for Web or MAC Authentication If Port Security is enabled on the port this misconfiguration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to conf...

Page 99: ...AC based authentication must be statically configured VLANs on the switch Also if you configure one or both of these options any services you want clients in either category to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an authen...

Page 100: ...d pair at least until your other security measures are in place to protect the switch configuration from unauthorized access 2 Determine which ports on the switch you want to operate as authentica tors Note that before you configure Web or MAC based authentication on a port operating in an LACP trunk you must remove the port from the trunk refer to the Note on Web MAC Authentication and LACP on pa...

Page 101: ...he authentication policy you want on the RADIUS server and configure the server Refer to the documentation provided with your RADIUS application and include the following in the policy for each client or client device The CHAP RADIUS authentication method An encryption key One of the following If you are configuring Web based authentication include the user name and password for each authorized cl...

Page 102: ...ned to the VLAN through which the device communicates with the authenticator switch Note that the switch applies a single MAC address to all VLANs configured in the switch Thus for a given switch the MAC address is the same for all VLANs configured on the switch Refer to the chapter titled Static Virtual LANs VLANs in the Advanced Traffic Management Guide for your switch Configuring the Switch To ...

Page 103: ...h does not have a server specific key assignment below This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key Default Null Syntax radius server host ip address key server specific key string no radius server host ip address key Optional Specifies an encryption key for use during authentication or accounting sessions with the speci fied...

Page 104: ...witch To Access a RADIUS Server For example to configure the switch to access a RADIUS server at IP address 192 168 32 11 using a server specific shared secret key of 1A7rd Figure 4 4 Example of Configuring a Switch To Access a RADIUS Server 4 16 ...

Page 105: ... that the switch can communicate with the RADIUS server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Configure the switch for Web Auth a Configure Web Authentication on the switch ports you want to use b If the necessary to avoid address conflicts with the secure network specify the base IP...

Page 106: ...0 quiet period 4 20 reauth period 4 20 reauthenticate 4 20 redirect url 4 21 server timeout 4 21 ssl login 4 21 unauth vid 4 22 Syntax aaa port access web based dhcp addr ip address mask Specifies the base address mask for the temporary IP pool used by DHCP The base address can be any valid ip address not a multicast address Valid mask range value is 255 255 240 0 255 255 255 0 Default 192 168 0 0...

Page 107: ...Default 0 Syntax aaa port access web based e port list client limit 1 32 Specifies the maximum number of authenticated clients to allow on the port Default 1 Note On switches where Web Auth and 802 1X can operate concurrently this limit includes the total number of clients authenticated through both methods Syntax no aaa port access web based e port list client moves Allows client moves between th...

Page 108: ...aa port access web based e port list max retries 1 10 Specifies the number of the number of times a client can enter their user name and password before authen tication fails This allows the reentry of the user name and password if necessary Default 3 Syntax aaa port access web based e port list quiet period 1 65535 Specifies the time period in seconds the switch should wait before attempting an a...

Page 109: ...L Default There is no default URL Browser behavior for authenticated clients may not be acceptable Syntax aaa port access web based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentication session Default 30 seconds Synta...

Page 110: ...f you plan to use multiple VLANs with MAC Authentication ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made 3 Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encr...

Page 111: ...ss mac based addr format no delimiter single dash multi dash multi colon Specifies the MAC address format to be used in the RADIUS request message This format must match the format used to store the MAC addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format mult...

Page 112: ... address moves between ports under MAC Auth control Default disabled no moves allowed Syntax aaa port access mac based e port list auth vid vid no aaa port access mac based e port list auth vid Specifies the VLAN to use for an authorized client The Radius server can override the value accept response includes a vid If auth vid is 0 no VLAN changes occur unless the RADIUS server supplies one Use th...

Page 113: ... seconds Syntax aaa port access mac based e port list reauthenticate Forces a reauthentication of all attached clients on the port Syntax aaa port access mac based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentication ...

Page 114: ...well as its current VLAN ID Ports without Web Authenti cation enabled are not listed Syntax show port access port list web based clients Shows the port address Web address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients are not listed Syntax show po...

Page 115: ...ific settings for password retries SSL login status and a redirect URL if specified Syntax show port access port list web based config detail Shows all Web Authentication settings including the Radius server specific settings for the specified ports Show Status and Configuration of MAC Based Authentication Command Page show port access port list mac based 4 27 clients 4 28 config 4 28 config auth ...

Page 116: ...d ports including the MAC address format being used The authorized and unauthorized VLAN IDs are shown If the authorized or unauthorized VLAN ID is 0 then no VLAN change is made unless the RADIUS server supplies one Syntax show port access port list mac based config auth server Shows MAC Authentication settings for all ports or the specified ports along with the Radius server specific settings for...

Page 117: ...ies See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applied to the port An author...

Page 118: ...Web and MAC Authentication Client Status This page intentionally unused 4 30 ...

Page 119: ...wing the Switch s Current TACACS Server Contact Configuration 5 10 Configuring the Switch s Authentication Methods 5 11 Configuring the Switch s TACACS Server Access 5 15 How Authentication Operates 5 20 General Authentication Process Using a TACACS Server 5 20 Local Authentication Process 5 22 Using the Encryption Key 5 23 General Operation 5 23 Encryption Options in the Switch 5 23 Controlling W...

Page 120: ...figured for TACACS Operation Terminal A Directly Accessing the Switch Via Switch s Console Port Terminal B Remotely Accessing The Switch Via Telnet A Primary TACACS Server The switch passes the login requestsfromterminalsAandB to the TACACS server for authentication The TACACS server determines whether to allow access to the switch and what privilege level to allow for a given access request Acces...

Page 121: ...or management station configured as an access control server for TACACS enabled devices To use TACACS with a switch covered in this guide and any other TACACS capable devices in your network you must purchase install and configure a TACACS server application on a networked server or managementstation inthe network The TACACS server application you install will provide various options for access co...

Page 122: ...les you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central server and to do so with more options than you have when using only local authentication You will still need to use local authen...

Page 123: ...that you use a TACACS server application that supports a redundant backup installation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect web browser interface access Refer to Controlling Web Browser Interface Access When Using TACACS Authentication on page 5 24 General Authentication Setup Procedure It ...

Page 124: ...mine which server is your first choice for authentication services The encryption key if any for allowingtheswitchtocommunicate with the server You can use either a global key or a server specific key depending on the encryption configuration in the TACACS server s The number of log in attempts you will allow before closing a log in session Default 3 The period you want the switch to wait for a re...

Page 125: ...has the correct local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be a...

Page 126: ...a that could affect the console access 9 When you are confident that TACACS access through both Telnet and the switch s console operates properly use the write memory command to save the switch s running config file to flash Configuring TACACS on the Switch Before You Begin If you are new to TACACS authentication ProCurve recommends that you read the General Authentication Setup Procedure on page ...

Page 127: ...thentication Configuration This command lists the number of login attempts the switch allows in a single login session and the primary secondary access methods configured for each type of access Syntax show authentication This example shows the default authentication configuration Configuration for login and enable access to the switch through the switch console port Configuration for login and en...

Page 128: ...CS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following First Choice TACACS Server Second Choice TACACS Server Third Choice TACACS Server Figure 5 3 Example of the Switch s TAC...

Page 129: ...uthentication console telnet Selects either console serial port or Telnet access for configuration enable login Selects either the Manager enable or Operator login access level local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS serve...

Page 130: ...assword pair configured locally in the switch for the privilege level being configured none No secondary type of authentication for the specified method privilege path Available only if the primary method of authentication for the access being configured is local Note If you do not specify this parameter in the command line the switch automatically assigns the secondary method as follows If the pr...

Page 131: ...ocal level of username password protection Caution Regarding the Use of Local for Login Primary Access During local authentication which uses passwords configured in the switch instead of in a TACACS server the switch grants read only access if you enter the Operator password and read write access if you enter the Manager password For example if you configure authentication on the switch with Teln...

Page 132: ...sing TACACS server Secondary using Local ProCurve config aaa authentication console enable tacacs local Telnet Login Operator or Read Only Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication Telnet login tacacs local Telnet Enable Manager or Read Write Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication telnet enable t...

Page 133: ...ryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the switch s...

Page 134: ...period for a TACACS server response Default 5 seconds Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS servers the switch will attempt to use for authentication If you configure a global encryption key the switch uses it only with servers for which you have not also configured a server specific key Thus a global key is more useful where the TACAC...

Page 135: ...already configured entering another server IP address makes that server the second choice backup TACACS server 3 When there are two TACACS servers already configured entering another server IP address makes that server the third choice backup TACACS server The above position assignments are fixed Thus if you remove one server and replace it with another the new server assumes the priority position...

Page 136: ...does not detect a response within the timeout period it initiates a new request to the next TACACS server in the list If all TACACS servers in the list fail to respond within the timeout period the switch uses either local authentication if configured or denies access if none configured for local authentication Adding Removing or Changing the Priority of a TACACS Server Suppose that the switch was...

Page 137: ... key then the authentication attempt will fail Use a global encryption key if the same key applies to all TACACS servers the switch may use for authentication attempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 5 23 To configure north01 as a global encryption key ProCurve ...

Page 138: ...nse to an authentication request from a TACACS server before either sending a new request to the next server in the switch s Server IP Address list or using the local authentication option For example to change the timeout period from 5 seconds the default to 3 seconds ProCurve config tacacs server timeout 3 How Authentication Operates General Authentication Process Using a TACACS Server Authentic...

Page 139: ...er receives the username input the requesting terminal receives a password prompt from the server via the switch 4 When the requesting terminal responds to the prompt with a password the switch forwards it to the TACACS server and one of the following actions occurs If the username password pair received from the requesting terminal matches a username password pair previously stored in the server ...

Page 140: ...ables only local password configuration If the operator at the requesting terminal correctly enters the user name password pair for either access level access is granted Iftheusername passwordpairenteredattherequestingterminaldoes not match either username password pair previously configured locally in the switch access is denied In this case the terminal is again prompted to enter a username pass...

Page 141: ...communication between the switch and the TACACS server will fail Thus on the TACACS server side you have a choice as to how to implement a key On the switch side it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server For information on how to configure a general or individual key in the TACACS server refer to the documentation you received with the...

Page 142: ...cacs server host 10 28 227 87 key south10campus With both of the above keys configured in the switch the south10campus key overrides the north40campus key only when the switch tries to access the TACACS server having the 10 28 227 87 address Controlling Web Browser Interface Access When Using TACACS Authentication Configuring the switch for TACACS authentication does not affect web browser interfa...

Page 143: ... match the username password pair configured in the switch No Tacacs servers responding TheswitchhasnotbeenabletocontactanydesignatedTACACS servers Ifthismessage is followed by the Username prompt the switch is attempting local authentication Not legal combination of authentication methods For console access if you select tacacs as the primary authentication method you must selectlocalastheseconda...

Page 144: ... enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password without also setting a local Manager password does not protect the switch from manager level access by unautho rized persons 5 26 ...

Page 145: ...nal Access Privilege Option 6 12 3 Configure the Switch To Access a RADIUS Server 6 13 4 Configure the Switch s Global RADIUS Parameters 6 15 Local Authentication Process 6 19 Controlling Web Browser Interface Access 6 20 Configuring RADIUS Accounting 6 21 Operating Rules for RADIUS Accounting 6 22 Steps for Configuring RADIUS Accounting 6 23 1 Configure the Switch To Access a RADIUS Server 6 23 2...

Page 146: ...RADIUS Authentication and Accounting Contents RADIUS Accounting Statistics 6 32 Changing RADIUS Server Access Order 6 33 Messages Related to RADIUS Operation 6 36 6 2 ...

Page 147: ... employed For authentication this allows a different password for each user instead of having to rely on maintaining and distributing switch specific passwords to all users For accounting this can help you track network resource usage Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the ProCurve switch Serial port Console Teln...

Page 148: ... specified port s port access authentication only Per Port Rate Limiting on a port with an active link to an authenti cated client port access authentication only Terminology CHAP Challenge Handshake Authentication Protocol A challenge response authentication protocol that uses the Message Digest 5 MD5 hashing scheme to encrypt a response to a challenge from a RADIUS server CoS Class of Service Su...

Page 149: ...US server to specific an optional switch feature assigned by the server during an authenticated client session Switch Operating Rules for RADIUS You must have at least one RADIUS server accessible to the switch The switch supports authentication and accounting using up to three RADIUS servers The switch accesses the servers in the order in which they are listed by showradius page 6 29 If the first...

Page 150: ... the client again to enter a username and password In this case use the local user name if any and password configured on the switch itself Zero length usernames or passwords are not allowed for RADIUS authentication even though allowed by some RADIUS servers TACACS is not supported for the web browser interface access 6 6 ...

Page 151: ...ches covered in this guide Figure 6 1 Example of Possible RADIUS Access Assignments Determine the IP address es of the RADIUS server s you want to support the switch You can configure the switch for up to three RADIUS servers If you need to replace the default UDP destination port 1812 the switch uses for authentication requests to a specific RADIUS server select it before beginning the configurat...

Page 152: ... Type value the RADIUS server includes in its authentication message to the switch Refer to 2 Enable the Optional Access Privilege Option on page 6 12 Configure RADIUS on the server s used to support authentication on the switch Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication 6 10 console telnet ssh web enable login radius 6 10 local none log...

Page 153: ...6 10 3 Configure the switch for accessing one or more RADIUS servers one primary server and up to two backup servers Note This step assumes you have already configured the RADIUS server s to support the switch Refer to the documentation provided with the RADIUS server documentation Server IP address Optional UDP destination port for authentication requests default 1812 recommended Optional UDP des...

Page 154: ...me counter to assume the server is available and then try to log on again Number of Login Attempts This is actually an aaa authentication command It controls how many times per session a RADIUS client and clients using other forms of access can try to log in with the correct username and password Default Three times per session For RADIUS accounting features refer to Configuring RADIUS Accounting ...

Page 155: ...ot local This prevents you from being locked out of the switch in the event of a failure in other access methods For example suppose you already configured local passwords on the switch but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option the switch s local passwords The switch now allows Telnet and SSH authentication only through RADIUS...

Page 156: ... a client for whom the RADIUS server specifies this access level Syntax no aaa authentication login privilege mode When enabled the switch reads the Service Type field in the client authentication received from a RADIUS server The following table describes the applicable Service Type values and corresponding client access levels the switch allows upon authentication by the server Service Type Valu...

Page 157: ...US Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services Note If you want to configure RADIUS accounting on the switch go to page 6 21 Configuring RADIUS Accounting instead of continuing here Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the conf...

Page 158: ...n key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key Note When you save the config file using Xmodem or TFTP the key information is not saved in the file This causes Radius authentication to break when the config file is loaded back onto the switch no radius server host ip address key Use the...

Page 159: ...ration Compare this with Figure 6 4 Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 6 33 4 Configure the Switch s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters Number of login attempts In a gi...

Page 160: ...t attempt to contact a RADIUS serverfails specifieshowmanyretriesyouwanttheswitchtoattempt on that server Syntax aaa authentication num attempts 1 10 Specifies how many tries for entering the correct user name and password before shutting down the session due to input errors Default 3 Range 1 10 no radius server key global key string Specifies the global encryption key the switch uses with servers...

Page 161: ...Troubleshooting chapter of the Manage ment and Configuration Guide for your switch For example suppose that your switch is configured to use three RADIUS serversforauthenticatingaccessthroughTelnetandSSH Twooftheseservers use the same encryption key In this case your plan is to configure the switch with the following global authentication parameters Allow only two tries to correctly enter username...

Page 162: ...session Global RADIUS parameters from figure 6 5 These two servers will use the global encryption key Server specific encryption key for the RADIUS server that will not use the global encryption key Note The Webui access task shown in this figure is available only ontheswitches coveredin this guide Figure 6 6 Listings of Global RADIUS Parameters Configured In Figure 6 5 6 18 ...

Page 163: ...requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level of the swit...

Page 164: ...ide Configure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow web browser access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Use one of the following methods to disable web browser access to the s...

Page 165: ...ervers to support the switch If you have not already done so refer to General RADIUS Setup Procedure on page 6 7 before continuing here RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch such as a logoff or a reboot The switches covered in this guide support three types of accounting services Network accou...

Page 166: ...nd managed by the server For more information on this aspect of RADIUS accounting refer to the documentation provided with your RADIUS server Operating Rules for RADIUS Accounting You can configure up to three types of accounting to run simulta neously exec system and network RADIUS servers used for accounting are also used for authentication The switch must be configured to access at least one RA...

Page 167: ...ting configure a server specific key This key overrides the global encryption key you can also configure on the switch and must match the encryption key used on the specified RADIUS server For more information refer to the key key string parameter on page 6 13 Default null 2 Configure accounting types and the controls for sending reports to the RADIUS server Accounting types exec page 6 22 network...

Page 168: ... not use this option the switch automatically assigns the default accounting port number Default 1813 key key string Optional Specifies an encryption key for use during accounting or authentication sessions with the speci fied server This key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for...

Page 169: ... to the accounting port UDP port numbers Because auth port was not included in the command the authentication UDP port is set to the default 1812 Figure 6 7 Example of Configuring for a RADIUS Server with a Non Default Accounting UDP Port Number The radius server command as shown in figure 6 7 above configures the switch to use a RADIUS server at IP address 10 33 18 151 with a non default UDP acco...

Page 170: ... a stop record notice at the end of the session Both notices include the latest data the switch has collected for the requested accounting type Network Exec or System Do not wait for an acknowledgement The system option page 6 25 ignores start stop because the switch sends the accumulated data only when there is a reboot reload or accounting on off event Stop Only Send a stop record accounting not...

Page 171: ...ing Options These optional parameters give you additional control over accounting data Updates In addition to using a Start Stop or Stop Only trigger you can optionally configure the switch to send periodic accounting record updates to a RADIUS server Suppress The switch can suppress accounting for an unknown user having no username Syntax no aaa accounting update periodic 1 525600 Sets the accoun...

Page 172: ...gure 6 8 suppose that you wanted the switch to Send updates every 10 minutes on in progress accounting sessions Block accounting for unknown users no username Update Period Suppress Unknown User Figure 6 9 Example of Optional Accounting Update Period and Accounting Suppression on Unknown User 6 28 ...

Page 173: ...DIUS configuration including the server IP addresses Optional form shows data for a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Configuring RADIUS Accounting on page 6 21 Figure 6 10 Example of General RADIUS Information from Show Radius Command 6 29 ...

Page 174: ...well as a timeout A send to a different server is counted as an Accounting Request as well as a timeout Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses Bad Authenticators The number of RADIUS Accoun...

Page 175: ...allowed in a session show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch s interactions with this server Requires prior use of the radius server host command to configure a RADIUS server IP address in the switch See Configuring RADIUS Accounting on page 6 21 Note The Webui access task shown in this figure is available only on the 5400zl switch...

Page 176: ... Lists configured accounting interval Empty User suppres sion status accounting types methods and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch Figure 6 14 Listing the Accounting Configuration in the Switch 6 32 ...

Page 177: ...list Adding or deleting a RADIUS server IP address leaves an empty position but does not change the position of any other server addresses in the list For example if you initially configure three server addresses they are listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed...

Page 178: ...DIUS Server To exchange the positions of the addresses so that the server at 10 10 10 003 will be the first choice and the server at 10 10 10 001 will be the last you would do the following 1 Delete 10 10 10 003 from the list This opens the third lowest position in the list 2 Delete 10 10 10 001 from the list This opens the first highest position in the list 3 Re enter 10 10 10 003 Because the swi...

Page 179: ...addresses from the RADIUS server list Inserts the 003 address in the first position in the RADIUS server list and inserts the 001 address in the last position in the list Shows the new order in which the switch searches for a RADIUS server Figure 6 18 Example of New RADIUS Server Search Order 6 35 ...

Page 180: ...tly configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for ...

Page 181: ...ration 7 9 1 Assigning a Local Login Operator and Enable Manager Password 7 9 2 Generating the Switch s Public and Private Key Pair 7 10 3 Providing the Switch s Public Key to Clients 7 12 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 7 15 5 Configuring the Switch for SSH Authentication 7 18 6 Use an SSH Client To Access the Switch 7 21 Further Information on SSH Client...

Page 182: ...elnet likefunctionsbut unlikeTelnet SSHprovidesencrypted authenticated transactions The authentication types include Client public key authentication Switch SSH and user password authentication Client Public Key Authentication Login Operator Level with User Password Authentication Enable Manager Level This option uses one or more public keys from clients that must be stored on the switch Only a cl...

Page 183: ...s not use a key to authenticate itself to the switch ProCurve Switch SSH Server SSH Client Work Station 1 Switch to Client SSH 2 User to Switch login password and enable password authentication options Local TACACS Figure 7 2 Switch User Authentication On the switches covered in this guide SSH supports these data encryption methods 3DES 168 bit DES 56 bit Note ProCurve switches use RSA keys for in...

Page 184: ...terpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Level Operator privileges on the switch Local password or username A Manager level or Operator level password configured in the switch SSH Enabled 1 A public...

Page 185: ...cation page 7 2 then the client program must have the capability to generate or import keys Public Key Formats Any client application you use for client public key authentication with the switch must have the capability to export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Comment describing public Beginning of actual SSHv2 public key i...

Page 186: ...s No Yes local or none ssh enable radius Yes No Yes local or none 1 For ssh login public key the switch uses client public key authentication instead of the switch password options for primary authentication The general steps for configuring SSH include A Client Preparation 1 Install an SSH client application on a management station you want to use for access to the switch Refer to the documentati...

Page 187: ...dary authentication methods you want the switch to use In all cases the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none Option B Primary Client public key authentication login public key page 7 22 Secondary Local password or none Note ...

Page 188: ...are not affected by reboots or the erase startup config command Once you generate a key pair on the switch you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches The swi...

Page 189: ...acacs radius public key local none enable tacacs radius local local none 7 21 7 11 7 16 7 16 7 16 7 16 7 16 7 18 7 20 7 18 7 18 7 18 copy tftp pub key file tftp server IP public key file 7 25 clear crypto client public key keylist str 7 25 1 Assigning a Local Login Operator and Enable Manager Password At a minimum ProCurve recommends that you always assign at least a Manager password to the switch...

Page 190: ...ash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the SSH clients which should have access to the switch Some SSH client appli cations automatically add the switch spublic key to a knownhosts file Other SSH applications require you to manually create a known hosts file and place the s...

Page 191: ...ny active SSH sessions will continue to run unless explicitly terminated with the CLI kill command To Generate or Erase the Switch s Public Private RSA Host Key Pair Because the host key pair is stored in flash instead of the running config file it is not necessary to use write memory to save the key pair Erasing the key pair automatically disables SSH Syntax crypto key generate ssh rsa Generates ...

Page 192: ...r version 1 keys the three numeric valuesbit size exponent e and modulus n must match for PEM keys only the PEM encoded string itself must match Notes Zeroizing the switch s key automatically disables SSH sets ip ssh to no Thus if you zeroize the key and then generate a new key you must also re enable SSH with the ip ssh command before the switch can resume SSH operation 3 Providing the Switch s P...

Page 193: ...e of a Public Key Generated by the Switch The generated public key on the switch is always 896 bits With a direct serial connection from a management station to the switch 1 Use a terminal application such as HyperTerminal to display the switch s public key with the show crypto host public key command figure 7 5 2 Bring up the SSH client s known host file in a text editor such as Notepad as straig...

Page 194: ...eed to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 7 7 on page 7 13 Phonetic hash Out...

Page 195: ...e switch always uses ASCII version without babble or fingerprint conversion of its public key for file storage and default display format 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to SS...

Page 196: ...access to the switch This possibility can be removed by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This requires a knowledge of where the client stores public keys plus the knowledge of what key editing and file format might be required by the client application Howe...

Page 197: ... 896 bits Note on Port ProCurve recommends using the default TCP port number 22 However you Number can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes Examples of reserved IP ports are 23 Telnet and 80 http Some other reserved TCP ports on the switch are 49 80 1506 and 1513 The switch uses these five settings internally for transactions with cli...

Page 198: ...password protection keep physical access to the switch restricted to authorized per sonnel 5 Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch s public key by an SSH client However only Option B below results in the switch also authenticating the client s public key Also for a more detailed discussion of the topics in this se...

Page 199: ... switch This means that before you can use this option you must 1 Create a key pair on an SSH client 2 Copy the client s public key into a public key file which can contain up to ten client public keys 3 Copy the public key file into a TFTP server accessible to the switch and download the file to the switch For more on these topics refer to Further Information on SSH Client Public Key Authenticati...

Page 200: ...ble access for successful SSH clients you want to use TACACS for primary password authentication and local for secondary password authenti cation with a Manager username of 1eader and a password of m0ns00n To set up this operation you would configure the switch in a manner similar to the following ProCurve config password manager user name leader New password for Manager Please retype new password...

Page 201: ...7 11 In this example the file contains two client public keys Client Key Index Number Figure 7 12 SSH Configuration and Client Public Key Listing From Figure 7 11 6 Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch If you have problems refer to RADIUS Related Problems in the Troublesho...

Page 202: ...SSH That is if you use this feature only the clients whose public keys are in the client public key file you store on the switch will have SSH access to the switch over the network If you do not allow secondary SSH login Operator access via local password then the switch will refuse other SSH clients SSH clients that support client public key authentication normally provide a utility to generate a...

Page 203: ...t to the client s hash version If they match then the client is authenticated Otherwise the client is denied access Using client public key authentication requires these steps 1 Generate a public private key pair for each client you want to have SSH access to the switch This can be a separate key for each client or the same key copied to several clients 2 Copy the public key for each client into a...

Page 204: ...mat of a client public key used by the switch does not include the client s IP address Key Type RSA only Maximum Supported 3072 bits Shorter key lengths allow faster operation but also mean diminished security Public Key Length Maximum Key Size 1024 characters Includes the bit size public index modulus any comments CR LF and all blank spaces If necessary youcan usean editorapplication to verify th...

Page 205: ...itch s current client public key file The babble option converts the key data to phonetic hashes that are easier for visual comparisons The fingerprint option converts the key data to phonetic hashes that are for the same purpose For example if you wanted to copy a client public key file named clientkeys txt from a TFTP server at 10 38 252 195 and then display the file contents Key Index Number Fi...

Page 206: ...d If the switch does not have an Operator password then deny access to that client Syntax aaa authentication ssh login public key none Allows SSH client access only if the switch detects a match between the client s public key and an entry in the client public key file most recently copied into the switch aaa authentication ssh login public key local Allows SSH client access if there is a public k...

Page 207: ...efault or select another port number See Note on Port Number on page 7 17 Client public key file corrupt or not The client key does not exist in the switch Use copy found Use copy tftp pub key file ip tftp to download the key from a TFTP server addr filename to download new file Download failed overlength key in key The public key file you are trying to download has one of the file following probl...

Page 208: ... key If the cache is depleted this could take up to two minutes command the switch displays this message while it is generating the key Host RSA key file corrupt or not found Use crypto key generate ssh rsa to create new host key The switch s key is missing or corrupt Use the crypto key generate ssh rsa command to generate a new key for the switch 7 28 ...

Page 209: ...8 7 2 Generating the Switch s Server Host Certificate 8 9 To Generate or Erase the Switch s Server Certificate with the CLI 8 10 Comments on certificate fields 8 11 Generate a Self Signed Host Certificate with the Web browser interface 8 13 Generate a CA Signed server host certificate with the Web browser interface 8 15 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior 8 1...

Page 210: ...SSL provides all the web functions but unlike standard web access SSL provides encrypted authenticated transactions The authentication type includes server certificate authentication with user password authentication Not e SSL in the switches covered in this guide is based on the OpenSSL software toolkit For more information on OpenSSL visit http www openssl com Server Certificate authentication w...

Page 211: ...st certificate and private portion is stored in switch flash not user accessible Digital Certificate A certificate is an electronic passport that is used to establish the credentials of the subject to which the certificate was issued Information contained within the certificate includes name of the subject serial number date of validity subject s public key and the digital signature of the authori...

Page 212: ...ger privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level pass word configured in the switch SSL Enabled 1 A certificate key pair has been generated on the switch web interface or CLI command crypto key generate cert key size 2 A certificate been generated on the switch web interface or CLI command crypto host cert ge...

Page 213: ...ionality See browser documentation for additional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 8 7 2 Generate a host certificate on the switch page 8 9 i Generate certificate key pair ii Generate host certificate You need to do this only once The switch s own public private certificate key pair and certificate are stored in the switch s flas...

Page 214: ...ou previously set up for SSL access to the switch In some situations this can temporarily allow security breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config command The public private certificate key pair is not be confused with the SSH public private key pair The certifica...

Page 215: ...t rsa 512 768 1024 zeroize cert crypto host cert generate self signed arg list zeroize page 8 19 page 8 19 page 8 12 page 8 10 page 8 10 page 8 10 page 8 10 1 Assigning a Local Login Operator and Enable Manager Password At a minimum ProCurve recommends that you always assign at least a Manager password to the switch Otherwise under some circumstances anyone with Telnet web or serial port access co...

Page 216: ...Management and Configuration Guide for your switch Password Button Security Tab Figure 8 2 Example of Configuring Local Passwords 1 Proceed to the security tab and select device passwords button 2 Click in the appropriate box in the Device Passwords window and enter user names and passwords You will be required to repeat the password strings in the confirmation boxes Both the user names and passwo...

Page 217: ... and digitally signed by the switch Since self signed certificates are not signed by a third party certificate authority there is no audit trail to a root CA certificate and no fool proof means of verifying authenticity of certificate The second type is a certificate authority signed certificate which is digitally signed by a certificate authority has an audit trail to a root CA certificate and ca...

Page 218: ...ate for the switch If a switch certificate already exists replaces it with a new certificate See the Note above crypto host cert zeroize Erases the switch s host certificate and disables SSL opera tion To generate a host certificate from the CLI i Generate a certificate key pair This is done with the crypto key generate cert command The default key size is 512 Not e If a certificate key pair is al...

Page 219: ...ress or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switch Organization This is the name of the entity e g company where the switch is in service Organizational This is the name of the sub entity e g department where the switch is in service Unit City or location This is the name of the ci...

Page 220: ...new key and server certificate you must also re enable SSL with the web management ssl command before the switch can resume SSL operation CLI Command to view host certificates Syntax show crypto host cert Displays switch s host certificate To view the current host certificate from the CLI you use the show crypto host cert command For example to display the new server host certificate Show host cer...

Page 221: ...ng a new certificate key pair and self signed CA signed certificate The right half displays information on the currently installed certificate ii Select the Generate Certificate button iii Select Self signed certificate in the type box iv Select the RSA key size desired If you do not wish to generate a new key then just select current from the list v Fill in remaining certificate arguments refer t...

Page 222: ...browsers inter face Security Tab SSL button Certificate Type Box Key Size Selection Certificate Arguments Create Certificate Button Figure 8 5 Self Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface 1 Proceed to the Security tab 2 Then the SSL button 8 14 ...

Page 223: ...t Certificate Generate a CA Signed server host certificate with the Web browser interface To install a CA Signed server host certificate from the web browser interface For more information on how to access the web browser interface refer to the chapter titled Using the ProCurve Web Browser Interface in the Man agement and Configuration Guide for your switch 8 15 ...

Page 224: ... select the SSL button ii Select the Create Certificate Certificate Request radio button iii Select Create CA Request from the Certificate Type drop down list iv Select the key size from the RSA Key Size drop down list If you wish to re use the current certificate key select Current from the RSA Key Size drop down list v Fill in remaining certificate arguments Refer to Comments on certificate fiel...

Page 225: ...J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0 aMcXgVruVixw xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH BAIwADANBgkqhkiG9w0B Figure 8 7 Request for Verified Host Certificate Web Browser Interface Screen 3 Enabling SSL on the Switch and Anticipating S...

Page 226: ...tificate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequivocally As long as you are confident that an unauthorized device is not using the switch s IP address in an attempt to gain access to your data or network you can accept the connection Not e When an SSL client connects to the switch for the first time it is possi...

Page 227: ...Generating the Switch s Server Host Certificate on page 8 9 2 Execute the web management ssl command To disable SSL on the switch do either of the following Execute no web management ssl Zeroize the switch s host certificate or certificate key page 8 10 Using the web browser interface to enable SSL To enable SSL on the switch i Proceed to the Security tab then the SSL button ii Select SSL Enable t...

Page 228: ...orts on the switches are 49 80 1506 and 1513 C a u t i o n SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides youmaywanttodisableTelnetaccess notelnet IfyouneedtoincreaseSNMP security use SNMP version 3 only for SNMP access A...

Page 229: ...ser interface You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the Web browser interface on page 8 13 You may be using a reserved TCP port Refer to Note on Port Number on page 8 20 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior on page 8 17 Your browser may no...

Page 230: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup This page is intentionally unused 8 22 ...

Page 231: ...efining and Configuring Named Source Port Filters 9 7 Viewing a Named Source Port Filter 9 8 Using Named Source Port Filters 9 9 Static Multicast Filters 9 15 Protocol Filters 9 16 Configuring Traffic Security Filters 9 17 Configuring a Source Port Traffic Filter 9 18 Example of Creating a Source Port Filter 9 19 Configuring a Filter on a Port Trunk 9 19 Editing a Source Port Filter 9 20 Configuri...

Page 232: ...nd 8000m Yes No No Yes Yes Yes Yes No No Yes Yes Yes Yes No No Yes No No Yes Yes Yes Yes Yes Yes This chapter describes Traffic Security filters on the switches covered in this guide For information on filters for other switches in the above table refer to the documentation provided for those switches Introduction Feature Default Menu CLI Web configure source port filters none n a page 9 21 n a co...

Page 233: ...ource or destination for source port filtering If you configure a port for filtering before adding it to a port trunk the portretains the filter configuration butsuspends the filtering action while a member of the trunk If you want a trunk to perform filtering first configure the trunk then configure the trunk for filtering Refer to Config uring a Filter on a Port Trunk on page 9 19 Filter Types a...

Page 234: ...ion Operating Rules for Source Port Filters You can configure one source port filter for each physical port and port trunk on the switch Refer to the filter command on page 9 18 You can include all destination ports and trunks in the switch on a single source port filter Each source port filter includes One source port or port trunk trk1 trk2 trkn A set of destination ports and or port trunks that...

Page 235: ...ddresses configured on a VLAN and routing enabled on the switch a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN In this case you can prevent the traffic of one subnet from being routed to another subnet of the same port by configuring the port or trunk as both the source and destination for traffic to drop Example If you wanted to p...

Page 236: ... source port filter once and apply it to multiple ports and port trunks This can make it easier to configure and manage source port filters on your switch The commands to define configure apply and display the status of named source port filters are described below Operating Rules for Named Source Port Filters A port or port trunk may only have one source port filter named or not named A named sou...

Page 237: ...destination port list Configures the named source port filter to drop traffic having a destination on the ports and or port trunks in the destination port list Can be followed by the forward option if you have other destination ports or port trunks previously set to drop that you want to change to forward For example filter source port named filter filter name drop destina tion port list forward d...

Page 238: ...26 A named source port filter can be defined and configured in a single command by adding the drop option followed by the required destination port list Viewing a Named Source Port Filter You can list all source port filters configured in the switch both named and unnamed and their action using the show command below Syntax show filter source port Displays a listing of configured source port filte...

Page 239: ...ter to the Internet Port 10 Accounting Workstation 1 Port 11 Accounting Workstation 2 Network Design 1 AccountingWorkstationsmayonly sendtraffictotheAccountingServer 2 NoInternettrafficmaybesenttotheAccountingServerorWorkstations 3 All other switch ports may only send traffic to Port 1 Accounting Server 1 Figure 9 4 Network Configuration for Named Source Port Filters Example Defining and Configuri...

Page 240: ...e filter When NOT USED is displayed the named source port filter may be deleted Lists the ports and port trunks dropped by the filter Ports and port trunks not shown are forwardedbythe filter To remove a port orporttrunkfrom the list update the named source portfilter definition using the forward option Applying Example Named Source Port Filters Once the named source port filters have been defined...

Page 241: ...urceportortrunk assigned to the filter An automatically assigned index number used to identify the filter for a detailed information listing A filter retains its assigned IDX number for as long as the filter exists in the switch The switch assigns the lowestavailableIDXnumbertoanew filter This can result in a newer filter having a lower IDX number than an older filter if a previous source port or ...

Page 242: ...1 0 100TX Dro p 9 1 0 100TX Dro p 1 0 1 0 100TX Dro p 1 1 1 0 100TX Dro p 1 2 1 0 100TX Dro p ProCurve config show filter 24 Traffic Security Filters Filter Type Source Port Source Port 10 Dest Port Ty pe Action 1 10 1 00TX Drop 2 10 1 00TX Drop 3 10 1 00TX Drop 4 10 1 00TX Drop 5 10 1 00TX Drop 6 10 1 00TX Drop 7 10 1 00TX Forwa rd 8 10 1 00TX Drop 9 10 1 00TX Drop 10 10 1 00TX Drop 11 10 1 00TX ...

Page 243: ...ed in accounting Two additional accounting workstations are added and attached to ports 12 and 13 A second server is added attached to port8 Accounting Server 1 Port 7 Port 1 Router to the Internet Port 12 Accounting Workstation 3 Port 13 Accounting Workstation 4 Network Design 1 AccountingWorkstations mayonlysendtraffictotheAccountingServer 2 NoInternettrafficmaybesenttotheAccountingServerorWorks...

Page 244: ... drop 7 8 10 13 ProCurve config We next apply the updated named source port filters to the appropriate switch ports As a port can only have one source port filter named or not named before applying the new named source port filters we first remove the existing source port filters on the port ProCurve config no filter source port 8 12 13 ProCurve config filter source port 8 12 13 named filter accou...

Page 245: ...lled filter overrides the static multicast filter configured on that port Note that in the default configuration IGMP is disabled on VLANs configured in the switch To enable IGMP on a specific VLAN use the vlan vid ip igmp command For more on this command refer to the chapter titled Multimedia Traffic Control with IP Multicast IGMP in the Multicast and Routing Guide for your switch The total of st...

Page 246: ...GMP learns of a multicast group destination in this range In this case IGMP takes over the filtering function for the multicast destination address es for as long as the IGMP group is active If the IGMP group subsequently deactivates the static filter resumes control over traffic to the multicast address C a u t i o n If Spanning Tree is enabled then the MSTP multicast MAC address 0180c2 000000 sh...

Page 247: ... Select the static filter type s 2 For inbound traffic matching the filter type determine the filter action you want for each outbound destination port on the switch forward or drop The default action for a new filter is to forward traffic of the specified type to all outbound ports 3 Configure the filter 4 Use show fi lter page 9 23 to check the filter listing to verify that you have configured c...

Page 248: ...r the ports and or trunks in the designated destination port list Can be followed by forward destination port list if you have other destination ports set to drop that you want to change to forward If no drop or forward action is specified the switch automatically creates a filter with a forward action from the designated source port or trunk to all destination ports or trunks on the switch forwar...

Page 249: ...guring a Filter on a Port Trunk This operation uses the same command as is used for configuring a filter on an individual port However the configuration process requires two steps 1 Configure the port trunk 2 Configure a filter on the port trunk by using the trunk name trk1 trk2 trk6 instead of a port name For example to create a filter on port trunk 1 to drop traffic received inbound for trunk 2 ...

Page 250: ...ore it was added to the trunk Figure 9 6 Example of Switch Response to Adding a Filtered Source Port to a Trunk Editing a Source Port Filter The switch includes in one filter the action s for all destination ports and or trunks configured for a given source port or trunk Thus if a source port filter already exists and you want to change the currently configured action for some destination ports or...

Page 251: ...cast address and returns the destination ports for that filter to the Forward action forward drop port list Specifies whether the designated destination port s should forward or drop the filtered traffic protocol ip ipx arp appletalk sna netbeui Specifies a protocol type Traffic received on any port with this protocol type will be filtered Default Forward on all ports The no form of the command de...

Page 252: ... commands configure the filters listed above Figure 9 8 Configuring Various Traffic Security Filters Filter Indexing The switch automatically assigns each new filter to the lowest available index IDX number The index numbers are included in the show filter command described in the next section and are used with the show filter index command to display detailed information about a specific filter I...

Page 253: ... IDX number than an older filter if a previous filter deletion created a gap in the filter listing Filter Type Indicates the type of filter assigned to the IDX number source port multicast or protocol Value Indicates the port number or port trunk name of the source port or trunk assigned to the filter index Lists the filter type and other data for the filter corre spondingtotheindexnumberintheshow...

Page 254: ...ters Filter Index Numbers AutomaticallyAssigned Listsallfiltersconfigured in the switch Uses the index number IDX for a specific filter to list the details for that filter only Criteria for Individual Filters Figure 9 9 Example of Displaying Filter Data 9 24 ...

Page 255: ...neral Operating Rules and Notes 10 12 General Setup Procedure for 802 1X Access Control 10 14 Do These Steps Before You Configure 802 1X Operation 10 14 Overview Configuring 802 1X Authentication on the Switch 10 15 Configuring Switch Ports as 802 1X Authenticators 10 16 1 Enable 802 1X Authentication on Selected Ports 10 17 A Enable the Selected Ports as Authenticators and Enable the Default Port...

Page 256: ...Configuring 802 1X Open VLAN Mode 10 35 802 1X Open VLAN Operating Notes 10 39 Option For Authenticator Ports Configure Port Security To Allow Only 802 1X Authenticated Devices 10 40 Port Security 10 41 Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches 10 42 Example 10 42 Supplicant Port Configuration 10 44 Displaying 802 1X Configuration Statistics and Co...

Page 257: ... This exposes the network to unauthorized use and malicious attacks While access to the network should be made easy uncontrolled and unauthorized access is usually not desirable 802 1X simplifies security management by providing access control along with the ability to control user profiles from up to three RADIUS servers while allowing a given user to use the same entering valid user credentials ...

Page 258: ...de allows you to assign unauthenticated clients to an isolated VLAN through which you can provide the necessary supplicant software and or other services you want to extend to these clients User Authentication Methods The switch offers two methods for using 802 1X access control Generally the Port Based method supports one 802 1X authenticated client on a port which opens the port to an unlimited ...

Page 259: ...h different configurations for different clients then the last client authenticated will effectively lock out any previously authenticated client When any client to authenticate closes its session the port will also close and remain so until another client successfully authenticates The most recent client authentication determines the untagged VLAN membership for the port Also any client able to u...

Page 260: ... to a device that is running either 802 1X authenticator software or 802 1X client software and is capable of interacting with other devices on the basis of the IEEE 802 1X standard Authorized Client VLAN Like the Unauthorized Client VLAN this is a conventional static VLAN previously configured on the switch by the System Administrator The intent in using this VLAN is to provide authen ticated cli...

Page 261: ...VLAN See Unauthorized Client VLAN EAP Extensible Authentication Protocol EAP enables network access that supports multiple authentication methods EAPOL Extensible Authentication Protocol Over LAN as defined in the 802 1X standard Friendly Client A client that does not pose a security risk if given access to the switch and your network MD5 An algorithm for calculating a unique digital signature ove...

Page 262: ...s sometimes termed a guest VLAN It should be set up to allow an unauthenticated client to access only the initialization services necessary to establish an authenticated connection plus any other desirable services whose use by an unauthenticated client poses no security threat to your network Note that an unauthenticated client has access to all network resources that have membership in the VLAN ...

Page 263: ... for the client 3 The switch responds in one of the following ways If 802 1X on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the client ii The client then provides identifying credentials such as a user certificate which the switch forwards to the RADIUS server ...

Page 264: ...he switch assigns the port to the VLAN entered in the port s 802 1X configuration as an Authorized Client VLAN if configured c 3rd Priority If the port does not have an Authorized Client VLAN configured but does have a static untagged VLAN membership in its configuration then the switch assigns the port to this VLAN A port assigned to a VLAN by an Authorized Client VLAN configuration or a RADIUS s...

Page 265: ...Using Port Are All Old Clients On Unauthorized VLAN No No Yes Yes Assign New Client to RADIUS Specified VLAN Assign New Client toAuthorizedVLAN Configured on Port Assign New Client to Untagged VLAN Configured On Port Yes New Client VLAN Same As Old Client VLAN No Drop All Clients UsingUnauthorized VLAN No Reject New Client On Port Yes Accept New Client On Port Yes No Figure 10 1 Priority of VLAN A...

Page 266: ...as an authenticator one authenticated client opens the port Other clients that are not running an 802 1X supplicant application can have access to the switch and network through the opened port If another client uses an 802 1X supplicant application to access the opened port then a re authentication occurs using the RADIUS configuration response for the latest client to authenticate To control acc...

Page 267: ... the trunk it will allow the supplicant to re authenticate If a client already has access to a switch port when you configure the port for 802 1X authenticator operation the port will block the client from further network access until it can be authenticated Meshing is not supported on ports configured for 802 1X port access security A port can be configured as an authenticator or an 802 1X suppli...

Page 268: ...Open VLAN mode for clients that are not 802 1X aware that is for clients that are not running 802 1X supplicant software This will require you to provide download able software that the client can use to enable an authentication session For more on this topic refer to 802 1X Open VLAN Mode on page 10 24 5 For any port you want to operate as a supplicant determine the user credentials You can eithe...

Page 269: ...nt to provide a path for clients without 802 1X supplicant software to download the software so that they can initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 10 24 3 Configure the 802 1X authentication type Options include Local Operator username and password the default This option allows a client to use the switch s...

Page 270: ...2 1X authenticator on another device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches on page 10 42 Configuring Switch Ports as 802 1X Authenticators 802 1X Authentication Commands Page no aaa port access authenticator port list 10 17 auth vid clear statistics client limit control max requests 10 17 initial...

Page 271: ...e switch automatically dis ables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can configure it for 802 1X authentication A Enable the Selected Ports as Authenticators and Enable the Default Port Based Authentication Syntax no aaa port access authenticator port list Enables specified ports to operate as 802 1X authent...

Page 272: ...s the earlier session Note Because a switch allows 802 1X authentication and Web or MAC authentication to co exist on the same port the sum of authenticated client sessions allowed on a given port for both 802 1X and either Web or MAC authentication cannot exceed 32 Port Based 802 1X Authentication no aaa port access authenticator client limit Used to convert a port from client based authenticatio...

Page 273: ...r Port Access The commands in this section are initially set by default and can be reconfig ured as needed Syntax aaa port access authenticator port list control authorized auto unauthorized Controls authentication mode on the specified port authorized Also termed Force Authorized Gives access to a device connected to the port In this case the device does not have to provide 802 1X credentials or ...

Page 274: ...ime the switch waits for a server response to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication...

Page 275: ...om the port Default 300 seconds unauth period 0 255 Specifies a delay in seconds for placing a port on the Unauthorized Client VLAN This delay allows more time for a client with 802 1X supplicant capability to initiate an authentication session If a connected cli ent does not initiate a session before the timer expires the port is assigned to the Unauthenticated Client VLAN Default 0 seconds auth ...

Page 276: ... Port Access Authentication 4 Enter the RADIUS Host IP Address es If you select either eap radius or chap radius for the authentication method configure the switch to use 1 2 or 3 RADIUS servers for authentication The following syntax shows the basic commands For coverage of all commands related to RADIUS server configuration refer to chapter 6 RADIUS Authen tication and Accounting Syntax radius h...

Page 277: ...mmand Syntax aaa port access authenticator active Activates 802 1X port access on ports you have configured as authenticators 6 Optionally Resetting Authenticator Operation After authentication has begun operating these commands can be used to reset authentication and related statistics on specific ports Syntax aaa port access authenticator port list initialize On the specified ports blocks inboun...

Page 278: ...ed as 802 1X authenticators Configuring the 802 1X Open VLAN mode on a port changes how the port responds when it detects a new client In earlier releases a friendly client computer not running 802 1X supplicant software could not be authenticated on a port protected by 802 1X access security As a result the port would become blocked and the client could not access the network This prevented the c...

Page 279: ...ed VLAN membership for that port Clients that connect without trying to authenticate will have access to the untagged VLAN mem bership that is currently assigned to the port VLAN Membership Priorities Following client authentication an 802 1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration The port also becomes an untagged member of one VLAN...

Page 280: ...Open VLAN mode authentication Unauthorized Client VLAN Configure this VLAN when unauthenti cated friendly clients will need access to some services before being authenticated or instead of being authenticated Authorized Client VLAN ConfigurethisVLANforauthenticatedclients when the port is not statically configured as an untagged member of a VLAN you want clients to use or when the port is statical...

Page 281: ...t already has a statically configured untagged membership in another VLAN then the port temporarily closes access to this other VLAN while in the Unauthorized Client VLAN To limit security risks the network services and access available ontheUnauthorized ClientVLANshouldincludeonlywhataclient needs to enable an authentication session If the port is statically configured as a tagged member of any o...

Page 282: ...ized Client VLAN If RADIUS authentication assigns a VLAN and there are no other authenticatedclientsontheport thentheportbecomesamember of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is connected If the port is statically configured as a tagged member of a VLAN andthisVLANisusedastheAuthorized ClientVLAN thentheport temporarily becomes an untagged member of this...

Page 283: ...entication assigns the port to a VLAN this assignment overrides any statically configured untagged VLAN membership on the port while the client is connected If the port is statically configured as a tagged member of a VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN Note that if...

Page 284: ...e port is statically configured asa tagged member ofany other VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN then the port becomes an untagged member of that VLAN for the d...

Page 285: ...nects from the port then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured After client authen tication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 10 26 TemporaryVLANMembershipDuring a Client Session Port membership in a VLAN assigned to operate as the Unauthorized...

Page 286: ...entheauthenticatedclientdisconnects theswitchremovesthe port from the Authorized Client VLAN and moves it back to the untagged membership in the statically configured VLAN After client authentication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 10 26 Note This rule assumes No alternate VLAN has been assigned by a RADIUS serve...

Page 287: ...AN before authentication can begin Switch with a Port Configured To When a new client is authenticated on a given port Allow Multiple Authorized Client Sessions If no other clients are authenticated on that port then the port joins one VLAN in the following order of precedence a A RADIUS assigned VLAN if configured b An Authenticated Client VLAN if configured c A static port based VLAN to which th...

Page 288: ...re currently using the port Thus an Unauthorized Client VLAN configured on a switch port that allows multiple 802 1X clients cannot be used if there is already an authenticated client using the port on another VLAN Also a client using the Unauthenticated Client VLAN will be blocked when another client becomes authenticated on the port For this reason the best utilization of the Unauthorized Client...

Page 289: ...ed member of another VLAN the port s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port For example if i Port A5 is an untagged member of VLAN 1 the default VLAN ii You configure port A5 as an 802 1X authenticator port iii You configure port A5 to use an Authorized Client VLAN Then if a client connects to port A5 and is authenticated port A...

Page 290: ...ors The switch automatically disables LACP on the ports on which you enable 802 1X On the ports you will use as authenticators with VLAN operation ensure that the port control parameter is set to auto the default Refer to 1 Enable 802 1X Authentication on Selected Ports on page 10 17 This setting requires a client to support 802 1X authentication with 802 1X supplicant operation and to provide val...

Page 291: ...e a server specific key This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key 4 Activate authentication on the switch Syntax aaa port access authenticator active Activates 802 1X port access on ports you have config ured as authenticators 5 Test both the authorized and unauthorized access to your system to ensure that the 802 1X authe...

Page 292: ...tring The server is connected to a port on the Default VLAN The switch s default VLAN is already configured with an IP address of 10 28 127 100 and a network mask of 255 255 255 0 ProCurve config aaa authentication port access eap radius Configures the switch for 802 1X authentication using an EAP RADIUS server ProCurve config aaa port access authenticator a10 a20 Configures ports A10 A20 as 802 1...

Page 293: ... RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VLAN X as anauthorizedVLAN then theportbecomesanuntaggedmemberofVLAN X for the duration of the client connection If there is no Authorized Client or RADIUS assigned VLAN then an authenticated client without tagged VLAN capability can access only a statically configured untagged VLAN on that port When a client ...

Page 294: ...Authenticated Devices If 802 1X authentication is disabled on a port or set to authorized Force Authorize the port can allow access to a non authenticated client Port Security operates with 802 1X authentication only if the selected ports are configured as 802 1X with the control mode in the port access authenticator command set to auto the default setting For example if port A10 was at a non defa...

Page 295: ...limit sets 802 1X to client based operation on the specified ports When this limit is reached no further devices can be authenticated until a currently authen ticated device disconnects and the current delay period or logoff period has expired Configure the port access type Syntax aaa port access auth port list client limit 1 32 Configures client based 802 1X authentication on the specified ports ...

Page 296: ...10 22 A switch port can operate as a supplicant in a connection to a port on another 802 1X aware switch to provide security on links between 802 1X aware switches A port can operate as both an authenticator and a supplicant Example Suppose that you want to connect two switches where Switch A has port A1 configured for 802 1X supplicant operation You want to connect port A1 on switch A to port B5 ...

Page 297: ...D packet If switch B is configured for RADIUS authentication it forwards this request to a RADIUS server If switch B is configured for Local 802 1X authentication the authenticator compares the switch A response to its local username and password 2 The RADIUS server then responds with an MD5 access challenge that switch B forwards to port A1 on switch A 3 Port A1 replies with an MD5 hash response ...

Page 298: ...n then use the identity and secret options to configure the RADIUS expected credentials on the supplicant port If the intended authenticator port uses Local 802 1X authentication then use the identity and secret options to configure the authenticator switch s local username and password on the supplicant port Syntax aaa port access supplicant ethernet port list To enable supplicant operation on th...

Page 299: ...upplicant port requests authentication See step 1 on page 10 42 for a description of how the port reacts to the authenticator response Default 3 held period 0 65535 Sets the time period the supplicant port waits after an active 802 1X session fails before trying to re acquire the authenticator port Default 60 seconds start period 1 300 Sets the delay between Start packet retransmissions That is af...

Page 300: ... and the status of all ports configured for 802 1X authentication Includes the the port traffic priority CoS assigned to inbound traffic and the rate limit settings if any specified by a RADIUS server for a current 802 1X authenticated client session Refer to RADIUS Administered CoS and Rate Limiting on page 6 4 in this guide With port list only same as above but only for the specified port Does n...

Page 301: ...stics port list Shows Whether port access authenticator is active The statistics of the ports configured as 802 1X authenticators including the supplicant s MAC address as determined by the content of the last EAPOL frame received on the port Does not display data for a specified port that is not enabled as an authenticator session counters port list Shows whether port access authenticator is acti...

Page 302: ... VLAN ID column for the same port indicates an unauthenticated client is connected to this port Assumes that the port is not a statically configured member of VLAN 100 Items 1 through 3 indicate that an authenticated client is connected to port 2 1 Open in the Status column 2 Authorized in the Authenticator State column 3 TheAuthVLANID 101 isalsointheCurrentVLANIDcolumn Thisassumesthattheportisnot...

Page 303: ...thenticated 802 1X client is attached to the port Table 10 1 Output for Determining Open VLAN Mode Status Figure 10 7 Upper Status Indicator Meaning Access Control This state is controlled by the following port access command syntax ProCurve config aaa port access authenticator port list control authorized auto unauthorized Auto Configures the port to allow network access to any connected device t...

Page 304: ...lienthasnotreceivedauthorizationthrough 802 1X authentication Open An authorized 802 1X supplicant is connected to the port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Current Port CoS Refer to the section describing RADIUS support for Identity Driven Curr Rate Limit Management IDM in c...

Page 305: ...erridden by Open VLAN mode Note that ports B1 and B3 are not in the upper listing but are included under Overridden Port VLAN configuration This shows that static untagged VLANmembershipsonportsB1 and B3 have been overridden bytemporaryassignmenttothe authorized or unauthorized VLAN Using the show port access authenticator port list command shown in figure 10 7 provides details Figure 10 8 Example...

Page 306: ...show port access supplicant port list statistics Shows the port access statistics and source MAC address es for all ports or port list ports configured on the switch as supplicants See the Note on Suppli cant Statistics below Note on Supplicant Statistics For each port configured as a supplicant show port access supplicant statistics port list displays the source MAC address and statistics for tra...

Page 307: ... not exist or is a dynamic VLAN created by GVRP authentication fails Also for the session to proceed the port must be an untagged member of the required VLAN If it is not the switch temporarily reassigns the port as described below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not already con...

Page 308: ...port A2 and Figure 10 9 Example of an Active VLAN Configuration In figure 10 9 if RADIUS authorizes an 802 1X client on port A2 with the requirement that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLAN on any port You can us...

Page 309: ...Configuration for VLAN 22 Temporarily Changes for the 802 1X Session With the preceding in mind since static VLAN 33 is configured as untagged on port A2 see figure 10 9 and since a port can be untagged on only one VLAN port A2 loses access to VLAN 33 for the duration of the 802 1X session involving VLAN 22 You can verify the temporary loss of access to VLAN 33 with the show vlan 33 command Even t...

Page 310: ...VLAN 33 on port A2 Figure 10 12 The Active Configuration for VLAN 33 Restores Port A2 After the 802 1X Session Ends Not e s Any port VLAN ID changes you make on 802 1X aware ports during an 802 1X authenticated session do not take effect until the session ends With GVRP enabled a temporary untagged static VLAN assignment created on a port by 802 1X authentication is advertised as an existing VLAN ...

Page 311: ... and MAC or Web authentication is enabled on the same port any 802 1X authentication has no effect on the ability of a client to access the controlled port That is the client s access will be denied until the client authenticates through Web Auth or MAC Auth on the port Note also that a client authenticating with port based 802 1X does not open the port in the same way that it would if Web Auth or...

Page 312: ... No server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page 6 36 LACP has...

Page 313: ...wn and Port Security 11 25 MAC Lockdown Operating Notes 11 26 Deploying MAC Lockdown 11 27 MAC Lockout 11 31 Port Security and MAC Lockout 11 33 Web Displaying and Configuring Port Security Features 11 34 Reading Intrusion Alerts and Resetting Alert Flags 11 34 Notice of Security Violations 11 34 How the Intrusion Log Operates 11 35 Keeping the Intrusion Log Current by Resetting Alert Flags 11 36 ...

Page 314: ...Configuring and Monitoring Port Security Contents Web Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags 11 41 Operating Notes for Port Security 11 42 11 2 ...

Page 315: ... enables individual ports to detect prevent and log attempts by unauthorized devices to commu nicate through the switch Not e This feature does not prevent intruders from receiving broadcast and multi cast traffic Also Port Security and MAC Lockdown are mutually exclusive on a switch If one is enabled then the other cannot be used MAC Lockdown Page 11 23 This feature also known as Static Addressin...

Page 316: ... have configured port security you can then monitor the network for security violations through one or more of the following Alert flags that are captured by network management tools such as ProCurve Manager PCM and PCM Alert Log entries in the switch s web browser interface Event Log entries in the console interface Intrusion Log entries in either the menu interface CLI or web browser interface F...

Page 317: ...hen tication Traps in the Management and Configuration Guide for your switch Port Access Allows only the MAC address of a device authenticated through the switch s 802 1X Port Based access control Refer to chapter 10 Configuring Port Based and Client Based Access Control 802 1X For configuration details refer to Configuring Port Security on page 11 12 Eavesdrop Protection Configuring port security...

Page 318: ... A Physical Topology PC1 can access Switch A PCs 2 and 3 can access Switch B and Switch C but are blocked from accessing switch A by the port security settings in switch A Switch C is not authorized to access Switch A Figure 11 1 Example of How Port Security Controls Access Not e Broadcast andMulticast traffic is always allowed and can be readby intruders connected to a port on which you have conf...

Page 319: ... management station and to 2 option ally disable the port on which the intrusion was detected d How do you want to learn of the security violation attempts the switch detects You can use one or more of these methods Through network management That is do you want an SNMP trap sent to a net management station when a port detects a security violation attempt Through the switch s Intrusion Log availab...

Page 320: ...g no port security 11 9 11 12 11 12 11 12 11 15 11 16 11 16 11 17 11 17 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses Not e Use the global configuration level to execute port security configuration commands Port Security Display Options You can use the CLI to display the current port security settings and to list the currently a...

Page 321: ...on Only the specified ports with their Learn Mode Address Limit alarm Action and Authorized Addresses Without port parameters show port security displays Operating Control settings for all ports on a switch Figure 11 2 Example Port Security Listing Ports A7 and A8 Show the Default Setting Withportnumbersincludedinthecommand show port secu ritydisplaysLearn Mode Address Limit alarm Action and Autho...

Page 322: ...Security Configuration Display for a Single Port The next example shows the option for entering a range of ports including a series of non contiguous ports Note that no spaces are allowed in the port number portion of the command string ProCurve config show port security A1 A3 A6 A8 11 10 ...

Page 323: ...lists the authorized MAC addresses that the switch detects on all ports mac address Lists the specified MAC address with the port on which it is detected as an authorized address port list Lists the authorized MAC addresses detected on the specified port s vlan vid Lists the authorized MAC addresses detected on ports belonging to the specified VLAN Figure 11 4 Examples of Show Mac Address Outputs ...

Page 324: ...on on page 11 5 continuous Default Appears in the factory default setting or when you executeno port securit y Allows the port to learn addresses from the device s to which it is connected In this state the port accepts traffic from any device s to which it is connected Addresses learned in the learn continuous mode will age out and be automatically deleted if they are not used regularly The defau...

Page 325: ...e mac address to specify only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses it detects If for example You use mac address to authorize MAC address 0060b0 880a80 for port A4 You use address limit to allow three devices on port A4 and the port detects these MAC addresses 1 080090 1362f2 2...

Page 326: ...Client Based Access Control 802 1X configured Must specify which MAC addresses are allowed for this port Range is 1 default to 8 and addresses are not ageable Addresses are saved across reboots limited continuous Also known as MAC Secure or limited mode The limited parameter sets a finite limit to the number of learned addresses allowed per port You can set the range from 1 the default to a maximu...

Page 327: ...onfiguration Guide for your switch To set the learn mode to limited use this command syntax port security port list learn mode limited address limit 1 32 action none send alarm send disable The default address limit is 1 but may be set for each port to learn up to 32 addresses The default action is none To see the list of learned addresses for a port use the command show mac port list address limi...

Page 328: ... out See also Retention of Static Addresses on page 11 18 action none send alarm send disable Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device or when Learn Mode is set to continuous and there is an address change on a port none Prevents an SNMP trap from being sent none is the default value send ala...

Page 329: ...inued clear intrusion flag Clears the intrusion flag for a specific port See Reading Intrusion Alerts and Resetting Alert Flags on page 11 34 no port security port list mac address mac addr mac addr mac addr Removes the specified learned MAC address es from the specified port 11 17 ...

Page 330: ...The port learns a MAC address after you configure the port for Static learn mode in only the running config file and after the address is learned you execute write memory to configure the startup config file to match the running config file To remove an address learned using either of the preceding methods do one of the following Delete the address by using no port security port number mac address...

Page 331: ...ects as an authorized device ProCurve config port security a1 learn mode static mac address 0c0090 123456 action send disable This example configures port A5 to Allow two MAC addresses 00c100 7fec00 and 0060b0 889e00 as the authorized devices Send an alarm to a management station if an intruder is detected on the port but allow the intruder access to the network ProCurve config port security a5 le...

Page 332: ... in its Autho rized Address list The Address Limit has not been reached Although the Address Limit is set to 2 only one device has been authorized for this port In this case you can add another without having to also increase the Address Limit Figure 11 5 Example of Adding an Authorized Device to a Port With the above configuration for port A1 the following command adds the 0c0090 456456 MAC addre...

Page 333: ... MAC address to a port on which the Authorized Addresses list is already full as controlled by the port s current Address Limit setting then you must increase the Address Limit in order to add the device even if you want to replace one device with another Using the CLI you can simultaneously increase the limit and add the MAC address with a single command For example suppose port A1 allows one aut...

Page 334: ...thorized it is recommended that you first reduce the Address Limit address limit integer by 1 as shown below This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as authorized for that port To remove a device MAC address from the Authorized list and when the current number of devices equals the Address Limit value you shou...

Page 335: ...wn as static addressing is the permanent assign ment of a given MAC address and VLAN or Virtual Local Area Network to a specific port on the switch MAC Lockdown is used to prevent station movement and MAC address hijacking It also controls address learning on the switch When configured the MAC Address can only be used on the assigned port and the client device will only be allowed on the assigned ...

Page 336: ...an the locked down port Thus TCP connections cannot be established Traffic sent to the locked address cannot be hijacked and directed out the port of the intruder If the device computer PDA wireless device is moved to a different port on the switch by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch t...

Page 337: ...with MAC addresses only while MAC Lockdown specifies both a MAC address and a VLAN for lockdown MAC Lockdown on the other hand is not a list It is a global parameter on the switch that takes precedence over any other security mechanism The MAC Address will only be allowed to communicate using one specific port on the switch MAC Lockdown is a good replacement for port security to create tighter con...

Page 338: ...in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a message to t...

Page 339: ...purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MAC addr...

Page 340: ...rity Basic MAC Lockdown Deployment In the Model Network Topology shown above the switches that are connected to the edge of the network each have one and only one connection to the core network This means each switch has only one path by which data can travel to Server A You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the edg...

Page 341: ... traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect against some...

Page 342: ... to Switch 1 And when you remove the MAC Lockdown from Switch 1 to prevent broadcast storms or other connectivity issues you then open the network to security problems The use of MAC Lockdown as shown in the above figure would defeat the purpose of using MSTP or having an alternate path Technologies such as MSTP or meshing are primarily intended for an inter nal campus network environment in which...

Page 343: ... MAC Lockout command on all switches To use MAC Lockout you must first know the MAC Address you wish to block Syntax no lockout mac mac address How It Works Let s say a customer knows there are unauthorized wireless clients whoshouldnothaveaccess to thenetwork The networkadministrator locks out the MAC addresses for the wireless clients by using the MAC Lockout command lockout mac mac address When...

Page 344: ...e 11 12 Limits on Lockout MACs VLANs Multicast Filters Lockout MACs 1024 16 16 1025 2048 8 8 If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file Lockout logging format W 10 30 03 21 35 15 maclock module A 0001e6 1f96c0 detected on port A15 W 10 30 03 21 35 18 maclock module A 0001e6 1f96c0 detected on port A15 W 10 30 03 21 35 18 m...

Page 345: ...y in learning other MAC Addresses Be careful if you use both together however If a MAC Address is locked out and appears in a static learn table in port security the apparently authorized address will still be locked out anyway MACentryconfigurationssetbyportsecurity willbe keptevenifMAC Lockout is configured and the original port security settings will be honored once the Lockout is removed A por...

Page 346: ...e of Security Violations When the switch detects an intrusion on a port it sets an alert flag for that port and makes the intrusion information available as described below While the switch can detect additional intrusions for the same port it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset When a security violatio...

Page 347: ...anager via an SNMP trap sent to a network management station How the Intrusion Log Operates When the switch detects an intrusion attempt on a port it enters a record of this event in the Intrusion Log No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset ting the alert flag The Intrusion Log lists the 20 most recently detected ...

Page 348: ...he port until you reset the alert flag for either all ports or for the individual port Note on On a given port if the intrusion action is to send an SNMP trap and then disable Send Disable the port send disable and an intruder is detected on the port then the switch Operation sends an SNMP trap sets the port s alert flag and disables the port If you re enable the port without resetting the port s ...

Page 349: ...t Status Screen with Intrusion Alert on Port A3 2 Type I Intrusion log to display the Intrusion Log The Intrusion Alert column shows Yes for any port onwhichasecurity violation has been MAC Address of Intruding Device on System Time of Intrusion on Port Indicates this intrusion on port A3 occurred prior to a reset reboot at the indicated time Figure 11 15 Example of the Intrusion Log Display The e...

Page 350: ...alert flags for all such ports If you then re display the port status screen you will see that the Intrusion Alert entry for port A3 has changed to No That is your evidence that the Intrusion Alert flag has been acknowledged reset is that the Intrusion Alert column in the port status display no longer shows Yes for the port on which the intrusion occurred port A3 in this example Because the Intrus...

Page 351: ... latest Intruder on Port A1 Earlier intrusions on port A1 that have already been cleared that is the Alert Flag has been reset at least twice before the most recent intrusion Figure 11 17 Example of the Intrusion Log with Multiple Entries for the Same Port The above example shows three intrusions for port A1 Since the switch can show only one uncleared intrusion per port the older two intrusions i...

Page 352: ... port security a1 clear intrusion flag ProCurve config show interfaces brief Intrusion Alert on port A1 is now Figure 11 18 Example of Port Status Screen After Alert Flags Reset For more on clearing intrusions see Note on Send Disable Operation on page 11 36 Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as W MM DD YY HH MM SS FFI port A3 Security Violati...

Page 353: ...ion See Using the Event Log To Identify Problem Sources in the Troubleshooting chapter of the Management and Configuration Guide for your switch Web Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags 1 Check the Alert Log by clicking on the Status tab and the Overview button If there is a Security Violation entry do the following a Click on the Security tab b Click on Intru...

Page 354: ...t your PC or workstation MAC address and interprets your connection as unauthorized Prior To Entries in the Intrusion Log If you reset the switch using the Reset button Device Reset or Reboot Switch the Intrusion Log will list the time of all currently logged intrusions as prior to the time of the reset Alert Flag Status for Entries Forced Off of the Intrusion Log If the Intrusion Log is full of e...

Page 355: ... s ProCurve config The switch will not allow you to configure LACP on a port on which port security is enabled For example ProCurve config int e a17 lacp passive Error configuring port A17 LACP and port security cannot be run together ProCurve config To restore LACP to the port you must remove port security and re enable LACP active or passive This page is intentionally unused 11 43 ...

Page 356: ...Configuring and Monitoring Port Security Operating Notes for Port Security 11 44 ...

Page 357: ...nd Configuring Authorized IP Managers 12 6 Listing the Switch s Current Authorized IP Manager s 12 6 Configuring IP Authorized Managers for the Switch 12 7 Web Configuring IP Authorized Managers 12 9 Building IP Masks 12 9 Configuring One Station Per Authorized Manager IP Entry 12 9 Configuring Multiple Stations Per Authorized Manager IP Entry 12 10 Additional Examples for Authorizing Multiple Sta...

Page 358: ... name Also when configured in the switch the Authorized IP Managers feature takes precedence over local passwords TACACS RADIUS Port Based Access Control 802 1X and Port Security This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features If the Authorized IP Managers fea...

Page 359: ...sername password and other security features available in the switch and preventing unauthorized access to data on your management stations Access Levels Not e The Authorized IP Manager feature can assign an access level to stations using Telnet SNMPv1 or SNMPv2c for switch access The access level the switch allows for authorized stations using SSH SNMPv3 or the web browser interface is determined...

Page 360: ...tations Per Authorized Manager IP Entry on page 12 10 To configure the switch for authorized manager access enter the appropriate Authorized Manager IP value specify an IP Mask and select either Manager or Operator for the Access Level The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage ment station Overview of IP Mask Operation The ...

Page 361: ...sk is a method for recognizing whether a given IP address is authorized for management access to the switch This mask serves a different purpose than IP subnet masks and is applied in a different manner Menu Viewing and Configuring IP Authorized Managers From the console Main Menu select 2 Switch Configuration 7 IP Authorized Managers 1 Select Add to add an authorized manager to the list Figure 12...

Page 362: ...Pv2c Refer to the note on page 12 3 Figure 12 2 Example of How To Add an Authorized Manager Entry Continued Editing or Deleting an Authorized Manager Entry Go to the IP Manag ers List screen figure 12 1 highlight the desired entry and press E for Edit or D for Delete CLI Viewing and Configuring Authorized IP Managers Authorized IP Managers Commands Used in This Section Command Page show ip authori...

Page 363: ...ax ip authorized managers ip address Configures one or more authorized IP addresses ip mask bits Configures the IP mask for ip address access operator manager Configures the privilege level for ipaddress Applies only to access through Telnet SNMPv1 and SNMPv2c Refer to the Note on page 12 3 To Authorize Manager Access This command authorizes manager level access for any station with an IP address ...

Page 364: ...To change the mask or access level for an existing entry use the entry s IP address and enter the new value s Notice that any parameters not included in the command will be set to their default ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access operator The above command replaces the existing mask and access level for IP address 10 28 227 101 with 255 255 255 0 and operator ...

Page 365: ...etwork Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask If you have ten or fewer management and or operator stations you can configure them by adding the address of each to the Authorized Manager IP list with 255 255 255 255 for the correspond ing mask For example as shown in figure 12 3 on page 12 7 if you configure an IP address of 10 28 227 125 wit...

Page 366: ...tially authorized station must match the same bit in the IP address you entered in the Authorized Manager IP list Conversely if a bit in an octet of the mask is off set to 0 then the corresponding bit in the IP address of a potentially authorized station on the network does not have to match its counterpart in the IP address you entered in the Authorized Manager IP list Thus in the example shown a...

Page 367: ...ed bits is allowed for the purposes of IP management station access to the switch Thus anymanagementstationhaving anIPaddress of 10 28 227 121 123 125 or 127 can access the switch Figure 12 7 Example of How the Bitmap in the IP Mask Defines Authorized Manager Addresses 4th Octet of IP Mask 4th Octet of Authorized IP Address 249 5 Bit Numbers Bit Bit Bit Bit Bit Bit Bit Bit 7 6 5 4 3 2 1 0 Bit Valu...

Page 368: ...cribed in this manual and preventing unauthorized access to data on your management stations Modem and Direct Console Access Configuring authorized IP manag ers does not protect against access to the switch through a modem or direct Console RS 232 port connection Duplicate IP Addresses If the IP address configured in an authorized management station is also configured or spoofed in another station...

Page 369: ... service for web access to the switch To do so add the IP address or DNS name of the switch to the non proxy or Exceptions list in the web browser interface you are using on the authorized station If you don t need proxy server access at all on the authorized station then just disable the proxy server feature in the station s web browser interface 12 13 ...

Page 370: ...Using Authorized IP Managers Operating Notes This page is intentionally unused 12 14 ...

Page 371: ...m Contents Overview 13 2 Terminology 13 2 Configuring Key Chain Management 13 3 Creating and Deleting Key Chain Entries 13 3 Assigning a Time Independent Key to a Chain 13 4 Assigning Time Dependent Keys to a Chain 13 5 13 1 ...

Page 372: ...ances of routing protocols with one or more Send or Accept keys that must be active at the time of a request A protocol instance is usually an interface on which the protocol is running Feature Default Menu CLI Web Generating a Key Chain n a n a page 13 3 n a Generating a Time Independent key n a n a page 13 4 n a Generating a Time Dependent key n a n a page 13 5 n a Terminology Key Chain A key or...

Page 373: ...key chain to a KMS enabled protocol This procedure is protocol dependent For information on a specific protocol refer to the chapter covering that protocol in the Management and Configu ration Guide for your switch Creating and Deleting Key Chain Entries To use the Key Management System KMS you must create one or more key chain entries An entry can be the pointer to a single time independent key o...

Page 374: ...ey chain entry chain_name Using the optional no form of the command deletes the key The key_id is any number from 0 255 key string key_str This option lets you specify the key value for the protocol using the key The key_str can be any string of up to 14 characters in length accept lifetime infinite send lifetime infinite accept lifetimeinfinite Allows packets with this key to be accepted at any t...

Page 375: ...ime dependent key is used there is usually more than one key in the key chain entry Syntax no key chain chain_name key key_id Generates or deletes a key in the key chain entry chain_name Using the optional no form of the command deletes the key The key_id is any number from 0 255 key string key_str This option specifies the key value referenced by the protocol using the key The key_str can be any ...

Page 376: ...o authenticate outbound packets Duration is either an end date and time or the number of seconds to allow after the start date and time which is the accept lifetime setting show key chain chain_name Displays the detail information about the keys used in the key chain named chain_name Note Using time dependent keys requires that all the switches have accurate synchronized time settings You can manu...

Page 377: ...s expired while in transport or there are significant time variations between switches To list the result of the commands in figure 13 3 Figure 13 4 Display of Time Dependent Keys in the Key Chain Entry You can use show key chain to display the key status at the time the command is issued Using the information from the example configuration in figures 13 3 and 13 4 if you execute show key chain at...

Page 378: ...expire Procurve2 uses time dependent keys which result in this data Expired 1 Key 1 has expired because its lifetime ended at 8 10 on 01 18 03 the previous day Active 2 Key 2 and 3 are both active for 10 minutes from 8 00 to 8 10 on 1 19 03 Keys 4 and 5 are either not yet active or expired The total number of keys is 5 13 8 ...

Page 379: ...ands 10 16 displaying configuration 10 46 overview 10 15 port 10 17 configuring method 10 21 control all clients 10 12 control command 10 19 convert to port based 10 18 CoS override 10 46 10 48 counters 10 46 delay move to unauthorized client VLAN 10 28 delay Unauth Client VLAN 10 21 DHCP server 10 33 EAP 10 3 EAPOL 10 7 10 47 eap radius 10 21 enabling on ports 10 17 enabling on switch 10 23 featu...

Page 380: ...icant 10 52 statistics 10 46 supplicant client not using 10 29 configuring switch port 10 44 enabling switch port 10 44 identity option 10 44 secret 10 44 switch port operating as 10 42 supplicant state 10 52 supplicant statistics note 10 52 supplicant configuring 10 42 supplicant timeout 10 20 switch username and password 10 4 terminology 10 6 troubleshooting gvrp 10 53 trunked port blocked 10 13...

Page 381: ...12 12 overview 12 1 troubleshooting 12 12 C certificate CA signed 8 3 root 8 4 self signed 8 3 Clear button to delete password protection 2 6 configuration filters 9 2 port security 11 7 RADIUS See RADIUS SSH See SSH connection rate ACL 3 6 connection rate filtering access control list 3 6 ACL ACE mask 3 26 application to port 3 21 applying 3 26 CIDR notation 3 26 configuring 3 20 example 3 27 3 2...

Page 382: ... authorized IP managers 12 12 E Eavesdrop Protection 11 4 event log intrusion alerts 11 40 F filter source port applicable models 9 2 editing 9 20 filter indexing 9 22 filter type 9 8 idx 9 8 9 22 index 9 8 9 22 operating rules 9 4 9 6 port trunk operation 9 3 9 19 show 9 8 value 9 8 viewing 9 8 filters 9 2 effect of IGMP 9 16 multicast 9 15 protocol 9 16 source port 9 4 source port filter value 9...

Page 383: ...ccess 4 14 the RADIUS server 4 13 features 4 3 general setup 4 12 LACP not allowed 4 12 rules of operation 4 10 show status and configuration 4 27 terminology 4 9 MAC Lockdown 11 3 MAC Lockout 11 3 manager password 2 3 2 5 2 6 manager password recommended 5 7 MD5 See RADIUS message inconsistent value 11 21 multicast address spanning tree protocol 9 16 multicast filter 9 3 9 15 multicast MAC addres...

Page 384: ...6 accounting operating rules 6 22 accounting server failure 6 22 accounting session blocking 6 27 accounting start stop method 6 26 accounting statistics terms 6 30 accounting stop only method 6 26 accounting system 6 22 6 25 administrative service type value 6 12 authentication options 6 3 authentication local 6 19 bypass RADIUS server 6 11 commands accounting 6 21 commands switch 6 8 configurati...

Page 385: ... enabling 7 15 erase host key pair 7 11 generate host key pair 7 11 generating key pairs 7 10 host key pair 7 11 key babble 7 11 key fingerprint 7 11 keys zeroing 7 11 key size 7 17 known host file 7 13 7 15 man in the middle spoofing 7 16 messages operating 7 27 OpenSSH 7 3 operating rules 7 8 outbound SSH not secure 7 8 password security 7 18 password only authentication 7 18 passwords assigning...

Page 386: ...ation 5 11 configuration encryption key 5 19 configuration server access 5 15 configuration timeout 5 20 configuration viewing 5 10 encryption key 5 6 5 15 5 16 5 19 encryption key general operation 5 23 encryption key global 5 20 general operation 5 2 IP address server 5 15 local manager password requirement 5 26 messages 5 25 NAS 5 3 overview 1 10 precautions 5 5 preparing to configure 5 8 preve...

Page 387: ...onfiguring on the switch 4 17 switch for RADIUS access 4 14 features 4 3 general setup 4 12 LACP not allowed 4 12 redirect URL 4 9 rules of operation 4 10 show status and configuration 4 26 terminology 4 9 Web authentication aaa authentication 6 8 Web browser authentication 6 8 web browser interface configuring port security 11 41 configuring port security 11 34 SSL 8 18 unsecured access SSL 8 18 ...

Page 388: ...10 Index ...

Page 389: ......

Page 390: ... change without notice Copyright 2000 2006 Hewlett Packard Development Company L P Reproduction adaptation or translation without prior written permission is prohibited except as allowed under the copyright laws January 2006 Manual Part Number 5991 3828 ...

Reviews:

No comments

Related manuals for J8697A

Brand: N-Tron Pages: 101

Brand: IBM Pages: 342

Brand: A10 Pages: 52

LightSpeed Appliance QLS250

Brand: Quantum Pages: 12

Brand: Tripp Lite Pages: 2

OCTOPUS 5TX-EEC

Brand: Hirschmann Pages: 6

Brand: Telex Communications Pages: 28

Brand: Schrack Technik Pages: 2

Brand: Patton electronics Pages: 9

Brand: Qlogic Pages: 8

Brand: Gira Pages: 6

AyrMesh IndoorAP

Brand: AYRSTONE Pages: 2

Brand: Matrix Switch Corporation Pages: 60

Brand: Connectland Pages: 10

Brand: Dynamix Pages: 102

Brand: Intellinet Pages: 2

Cyclades CS4008

Brand: Avocent Pages: 2

Brand: Dinstar Pages: 103

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands