HP ProCurve 2510-24 Manual Download Page 145

Page: 145 / 318

6-1

Configuring Secure Shell (SSH)

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

Steps for Configuring and Using SSH
for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

1. Assign Local Login (Operator) and Enable (Manager) Password . 6-9

2. Generate the Switch’s Public and Private Key Pair . . . . . . . . . . . . 6-10

3. Provide the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . . 6-12

4. Enable SSH on the Switch and Anticipate SSH
Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15

5. Configure the Switch for SSH Authentication . . . . . . . . . . . . . . . . . 6-18

6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-22

Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-22

Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28

Summary of Contents for ProCurve 2510-24

Page 1: ...Access Security Guide 2510 www procurve com ProCurve Switches Q 11 XX 2510 24 U 11 XX 2510 48 ...

Page 2: ......

Page 3: ...ProCurve Series 2510 Switches Access Security Guide July 2008 ...

Page 4: ...y Tim Hudson tjh cryptsoft com Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this...

Page 5: ...Conventions 1 5 Command Syntax Statements 1 5 Command Prompts 1 6 Screen Simulations 1 6 Port Identity Examples 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 2 Configuring Username and Password Security Contents 2 1 Overview 2 2 Configuring Local Password Security 2 4 Menu Setting Passwords 2 4 CLI Setting Pa...

Page 6: ...ure for Web MAC Authentication 3 12 Do These Steps Before You Configure Web MAC Authentication 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22...

Page 7: ...iguration 4 10 Configuring the Switch s TACACS Authentication Methods 4 11 Configuring the Switch s TACACS Server Access 4 18 How Authentication Operates 4 23 General Authentication Process Using a TACACS Server 4 23 Local Authentication Process 4 25 Using the Encryption Key 4 26 Controlling Web Browser Interface Access When Using TACACS Authentication 4 27 Messages Related to TACACS Operation 4 2...

Page 8: ...isplaying Authorization Information 5 19 Configuring Commands Authorization on a RADIUS Server 5 19 Configuring RADIUS Accounting 5 25 Operating Rules for RADIUS Accounting 5 26 Steps for Configuring RADIUS Accounting 5 27 Viewing RADIUS Statistics 5 32 General RADIUS Statistics 5 32 RADIUS Authentication Statistics 5 35 RADIUS Accounting Statistics 5 36 Changing RADIUS Server Access Order 5 37 Me...

Page 9: ...ted to SSH Operation 6 28 7 Configuring Secure Socket Layer SSL Contents 7 1 Overview 7 2 Terminology 7 3 Prerequisite for Using SSL 7 5 Steps for Configuring and Using SSL for Switch and Client Authentication 7 5 General Operating Rules and Notes 7 6 1 Assign Local Login Operator and Enable Manager Password 7 7 2 Generate the Switch s Server Host Certificate 7 8 3 Enable SSL on the Switch and Ant...

Page 10: ... the Switch 8 24 6 Optionally Resetting Authenticator Operation 8 25 802 1X Open VLAN Mode 8 26 Introduction 8 26 VLAN Membership Priorities 8 27 Use Models for 802 1X Open VLAN Modes 8 28 Operating Rules for Authorized Client and Unauthorized Client VLANs 8 31 Setting Up and Configuring 802 1X Open VLAN Mode 8 34 802 1X Open VLAN Operating Notes 8 38 Option For Authenticator Ports Configure Port ...

Page 11: ...tween MAC Lockdown and Port Security 9 19 Deploying MAC Lockdown 9 21 MAC Lockout 9 25 Port Security and MAC Lockout 9 27 Web Displaying and Configuring Port Security Features 9 28 Reading Intrusion Alerts and Resetting Alert Flags 9 28 Notice of Security Violations 9 28 How the Intrusion Log Operates 9 29 Keeping the Intrusion Log Current by Resetting Alert Flags 9 30 Using the Event Log To Find ...

Page 12: ...u Viewing and Configuring IP Authorized Managers 10 5 CLI Viewing and Configuring Authorized IP Managers 10 6 Web Configuring IP Authorized Managers 10 9 Building IP Masks 10 9 Configuring One Station Per Authorized Manager IP Entry 10 9 Configuring Multiple Stations Per Authorized Manager IP Entry 10 10 Additional Examples for Authorizing Multiple Stations 10 12 Operating Notes 10 12 Index ...

Page 13: ...anagement Guide a PDF file on the ProCurve Networking Web Site This guide explains the configuration and operation of traffic management features such as spanning tree and VLANs Access Security Guide a PDF file on the ProCurve Networking Web Site This guide explains the configuration and operation of access security and user authentication features on the switch Release Notes posted on the ProCurv...

Page 14: ...ion AdvancedTraffic Management Access Security Guide 802 1Q VLAN Tagging X 802 1p Priority X 802 1X Authentication X Authorized IP Managers X Config File X Copy Command X Debug X DHCP Configuration X DHCP Bootp Operation X Diagnostic Tools X Downloading Software X Event Log X Factory Default Settings X File Management X File Transfers X GVRP X IGMP X Interface Access Telnet Console Serial Web X IP...

Page 15: ...ation X Port Security X Port Status X Port Trunking LACP X Port Based Access Control X Port Based Priority 802 1Q X Quality of Service QoS X RADIUS Authentication and Accounting X Secure Copy X SFTP X SNMP X Software Downloads SCP SFTP TFTP Xmodem X Spanning Tree MSTP X SSH Secure Shell Encryption X SSL Secure Socket Layer X Stack Management Stacking X Feature Management and Configuration Advanced...

Page 16: ... Syslog X System Information X TACACS Authentication X Telnet Access X TFTP X Time Protocols TimeP SNTP X Troubleshooting X VLANs X Xmodem X Feature Management and Configuration AdvancedTraffic Management Access Security Guide ...

Page 17: ...ity Protection 1 3 General Switch Traffic Security Guidelines 1 4 Conventions 1 5 Command Syntax Statements 1 5 Command Prompts 1 6 Screen Simulations 1 6 Port Identity Examples 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 ...

Page 18: ...ocal Manager and Operator Passwords page 2 1 Control access and privileges for the CLI menu and Web browser interfaces TACACS Authentication page 4 1 Uses an authentication appli cation on a server to allow or deny access to a switch RADIUS Authentication and Accounting page 5 1 Like TACACS uses an authentication application on a central server to allow or deny access to the switch RADIUS also pro...

Page 19: ...to detect prevent and log access attempts by unauthorized devices Authorized IP Managers page 10 1 Allows access to the switch by a networked device having an IP address previously configured in the switch as authorized Management Access Security Protection In considering management access security for your switch there are two key areas to protect Unauthorized client access to switch management f...

Page 20: ... OSI model such as SSH The above list does not address the mutually exclusive relationship that exists among some security features Security Feature Offers Protection Against Unauthorized Client Access to Switch Management Features Offers Protection Against Unauthorized Client Access to the Network Connection Telnet SNMP Net Mgmt Web Browser SSH Client Local Manager and Operator Usernames and Pass...

Page 21: ...ts Braces enclose required elements Braces within square brackets indicate a required element within an optional choice Boldface indicates use of a CLI command part of a CLI command syntax or other displayed element in general text For example Use the copy tftp command to download the key from a TFTP server Italics indicate variables for which you must supply a value when executing the command For...

Page 22: ... output sequences appear outside of a numbered figure For example ProCurve config ip default gateway 18 28 152 1 24 ProCurve config vlan 1 ip address 18 28 36 152 24 ProCurve config vlan 1 ip igmp Port Identity Examples This guide describes software applicable to both chassis based and stackable ProCurve switches Where port identities are needed in an example this guide uses the chassis based port...

Page 23: ...ture refer to Product Documentation on page xi Note For the latest version of all ProCurve switch documentation including release notes covering recently added features visit the ProCurve Networking Website at http www procurve com manuals then select your switch product For information on specific parameters in the Menu interface refer to the online help provided in the interface For example Figu...

Page 24: ...urve Networking switch technology visit the ProCurve Website at http www procurve com Need Only a Quick Start IP Addressing If you just want to give the switch an IP address so that it can communicate on your network or if you are not using multiple VLANs ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing To do so do one of the following Enter setup at the ...

Page 25: ...nstructions for physically installing the switch in your network Quickly assigning an IP address and subnet mask setting a Manager password and optionally configuring other basic features Interpreting LED behavior For the latest version of the Installation and Getting Started Guide and other documentation for your switch visit the ProCurve Networking Web site Refer to Product Documentation on page...

Page 26: ...1 10 Getting Started Need Only a Quick Start ...

Page 27: ...Security 2 4 Menu Setting Passwords 2 4 CLI Setting Passwords and Usernames 2 5 Web Setting Passwords and Usernames 2 6 Front Panel Security 2 7 When Security Is Important 2 7 Front Panel Button Functions 2 8 Configuring Front Panel Security 2 10 Password Recovery 2 15 Password Recovery Process 2 17 ...

Page 28: ...curity n a page 1 13 Front panel security page 1 13 password clear enabled page 1 13 reset on clear disabled page 1 14 factory reset enabled page 1 15 password recovery enabled page 1 15 Level Actions Permitted Manager Access to all console interface areas This is the default level That is if a Manager password has not been set prior to starting the current console session then anyone having acces...

Page 29: ... This causes the console session to end after the specified period of inactivity thus giving you added security against unautho rized console access Note The manager and operator passwords and optional usernames control access to the menu interface CLI and Web browser interface If you configure only a Manager password with no Operator password and in a later session the Manager password is not ent...

Page 30: ...pted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you will be prompted to enter the password If you use the CLI or Web browser interfa...

Page 31: ...r to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot start a con sole session at the Manager level because of a lost Manager password you can clear the password by getting physical access to the switch and pressing and holding the Clear button for a minimum of one second This action deletes all passwords and u...

Page 32: ...to remove password protection from the Operator level This means that anyone who can access the switch console can gain Operator access without having to enter a user name or password Web Setting Passwords and Usernames In the Web browser interface you can enter passwords and optional user names To Configure or Remove Usernames and Passwords in the Web Browser Interface 1 Click on the Security tab...

Page 33: ... Insurance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records must be secure It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key For some customers this is no longer true Others simply ...

Page 34: ...Reset buttons on the front of the switch Front Panel Button Functions The front panel of the switch includes the Reset button and the Clear button Figure 2 4 Example Front Panel Button Locations Clear Button Pressing the Clear button alone for one second resets the password s con figured on the switch Figure 2 5 Press the Clear Button for One Second To Reset the Password s Clear Button Reset Butto...

Page 35: ...d hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button 2 While holding the Reset button press and hold the Clear button Reset Clear Reset Clear Reset Clear ...

Page 36: ... or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does not affect the operation of the Reset Clear combination described under Restor ing the Factory Default Configuration on page 2 9 Configure the Clear button to reboot...

Page 37: ...en pressing the Clear button erases the local usernames and passwords from the switch When reset on clear is enabled pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch Enabling reset on clear automatically enables clear password Default Disabled Factory Reset Shows the status of the Reset button on the front panel of the switch Enabled means t...

Page 38: ...y default configuration pressing the Clear button on the switch s front panel erases any local usernames and passwords configured on the switch This command disables the password clear function of the Clear button so that pressing it has no effect on any local usernames and passwords Default Enabled Note Although the Clear button does not erase passwords when disabled you can still use it with the...

Page 39: ...enable or disable the reset on clear option Defaults password clear Enabled reset on clear Disabled Thus To enable password clear with reset on clear disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password cl...

Page 40: ...an use the factory reset command to prevent the Reset Clear combination from being used for this purpose Shows password clear disabled Enables password clear with reset on clear disabled by the no statement at the beginning of the command Shows password clear enabled with reset on clear disabled Syntax no front panel security factory reset Disables or re enables the following functions associated ...

Page 41: ...switch to its factory default configuration which removes any non default configuration settings C a u t i o n Disabling password recovery requires that factory reset be enabled and locks out the ability to recover a lost manager username if configured and pass word on the switch In this event there is no way to recover from a lost manager username password situation without resetting the switch t...

Page 42: ...and press N for No Figure 2 11 shows an example of disabling the password recovery parameter Syntax no front panel security password recovery Enables or using the no form of the command disables the ability to recover a lost password When this feature is enabled the switch allows management access through the password recovery process described below This provides a method for recovering from a lo...

Page 43: ...se the Reset Clear button combination described under Restoring the Factory Default Configuration on page 2 9 This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfig ured To use the password recovery option to recover a lost password 1 Note the switch s base MAC addre...

Page 44: ... Center is valid only for a single login attempt You cannot use the same one time use password if you lose the password a second time Because the password algorithm is randomized based upon your switch s MAC address the password will change as soon as you use the one time use password provided to you by the ProCurve Customer Care Center ...

Page 45: ...on 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22 Overview 3 22 Configure the Switch for MAC Based Authentication 3 23 Show Status and Config...

Page 46: ...cation Web Auth This method uses a Web page login to authenticate users for access to the network When a user connects to the switch and opens a Web browser the switch automatically presents a login page The user then enters a username and password which the switch forwards to a RADIUS server for authentication After authentication the switch grants access to the secured network Other than a Web b...

Page 47: ...uthentication 802 1X MAC lockdown MAC lock out and port security are mutually exclusive on a given port Also LACP must be disabled on ports configured for any of these authentication methods Client Options Web Auth and MAC Auth provide a port based solution in which a port can belong to one untagged VLAN at a time The switch allows 2 clients per port In the default configuration the switch blocks ...

Page 48: ...n using Web Authentication You can use the RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the Web or MAC Auth configuration for the subject ...

Page 49: ...cess or limited network access as defined by the System Administrator Web based Authentication When a client connects to a Web Auth enabled port communication is redi rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials Figure 3 1 Example of User Login Screen The temporary IP address pool can be specified us...

Page 50: ...n of the client session the port belongs to the authorized VLAN auth vid if configured and temporarily drops all other VLAN memberships 3 If neither 1 or 2 above apply but the port is an untagged member of a statically configured port based VLAN then the port remains in this VLAN 4 If neither 1 2 or 3 above apply then the client session does not have access to any statically configured untagged VL...

Page 51: ...o specific guest network resources If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available Should another client success fully authenticate through that port any unauthenticated clients on the unauth vid are dropped from the port MAC based Authentication When a client connects to a MAC Auth enabled port traffic is blocked The switch immediately subm...

Page 52: ...ession the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid credentials or a RADIUS server timeout The server timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out The max reque...

Page 53: ...wed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified Web page presented to an authorized client following Web Authentication ProCurve recommends specif...

Page 54: ...ration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments in your RADIUS server or considerusing either Authorized orUnauthorized VLANs Ifyour LAN does use multiple VLANs then some of the following factors may apply to your use of Web Auth and MAC Auth Web Auth and MAC Auth operate only with port based ...

Page 55: ...ategory to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port In this case if there is a successful request for authentication from an authorized client the switch terminates the unauthorized ...

Page 56: ...curity measures are in place to protect the switch configuration from unauthorized access 2 Determine which ports on the switch you want to operate as authentica tors Note that before you configure Web or MAC based authentication on a port operating in an LACP trunk you must remove the port from the trunk refer to the Note on Web MAC Authentication and LACP on page 3 12 3 Determine whether any VLA...

Page 57: ...o rized VLAN the switch simply blocks access to unauthenticated clients trying to use the port 5 Determine the authentication policy you want on the RADIUS server and configure the server Refer to the documentation provided with your RADIUS application and include the following in the policy for each client or client device The CHAP RADIUS authentication method An encryption key One of the followi...

Page 58: ... provides four format options aabbccddeeff the default format aabbcc ddeeff aa bb cc dd ee ff aa bb cc dd ee ff Note on MAC Addresses Letters in MAC addresses must be in lowercase If the device is a switch or other VLAN capable device use the base MAC address assigned to the device and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch Note...

Page 59: ...erver host ip address key server specific key string 3 16 Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration You can config ure up to three RADIUS server addresses The switch uses the first server it successfully accesses Refer to RADIUS Authentication Authorization and Account ing on page 5 1 key global key string S...

Page 60: ...ng authentication or accounting sessions with the speci fied server This key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key above The no form of the command removes the key configured for a specific server ProCurve config radius server host 192 168 32 11 key 2Pzo...

Page 61: ... switch can communicate with the RADIUS server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Configure the switch for Web Auth a Configure Web Authentication on the switch ports you want to use b If the necessary to avoid address conflicts with the secure network specify the base IP address ...

Page 62: ...quiet period 3 20 reauth period 3 20 reauthenticate 3 20 redirect url 3 21 server timeout 3 21 ssl login 3 21 unauth vid 3 22 Syntax aaa port access web based dhcp addr ip address mask Specifies the base address mask for the temporary IP pool used by DHCP The base address can be any valid ip address not a multicast address Valid mask range value is 255 255 240 0 255 255 255 0 Default 192 168 0 0 2...

Page 63: ...rver supplies one Use the no form of the command to set the auth vid to 0 Default 0 Syntax aaa port access web based e port list client limit 1 2 Specifies the maximum number of authenticated clients to allow on the port Default 1 Syntax no aaa port access web based e port list client moves Allows client moves between the specified ports under Web Auth control When enabled the switch allows client...

Page 64: ... port access web based e port list max retries 1 10 Specifies the number of the number of times a client can enter their user name and password before authen tication fails This allows the reentry of the user name and password if necessary Default 3 Syntax aaa port access web based e port list quiet period 1 65535 Specifies the time period in seconds the switch should wait before attempting an aut...

Page 65: ...for authenticated clients may not be acceptable Syntax aaa port access web based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentication session Default 30 seconds Syntax no aaa port access web based e port list ssl logi...

Page 66: ...rver you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encryption key to access the RADIUS server 5 Configure the switch for MAC Auth a Configure MAC Authentication on the switch ports you want to use 6 Test both the authorized and unauthorized access to your system to ensure that MAC Authentication works properly on the ports you have con...

Page 67: ...access mac based addr format no delimiter single dash multi dash multi colon Specifies the MAC address format to be used in the RADIUS request message This format must match the format used to store the MAC addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format ...

Page 68: ... moves allowed Syntax aaa port access mac based e port list auth vid vid no aaa port access mac based e port list auth vid Specifies the VLAN to use for an authorized client The Radius server can override the value accept response includes a vid If auth vid is 0 no VLAN changes occur unless the RADIUS server supplies one Use the no form of the command to set the auth vid to 0 Default 0 Syntax aaa ...

Page 69: ...t 300 seconds Syntax aaa port access mac based e port list reauthenticate Forces a reauthentication of all attached clients on the port Syntax aaa port access mac based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentica...

Page 70: ...t as well as its current VLAN ID Ports without Web Authenti cation enabled are not listed Syntax show port access port list web based clients Shows the port address Web address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients are not listed Syntax sh...

Page 71: ... timeout failures before authentication fails and the length of time between authentication requests Syntax show port access port list web based config web server Shows Web Authentication settings for all ports or the specified ports along with the Web specific settings for password retries SSL login status and a redirect URL if specified Syntax show port access port list web based config detail S...

Page 72: ...ll as its current VLAN ID Ports without MAC Authenti cation enabled are not listed Syntax show port access port list mac based clients Shows the port address MAC address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients are not listed Syntax show port...

Page 73: ...s for all ports or the specified ports along with the Radius server specific settings for the timeout wait the number of timeout failures before authentication fails and the length of time between authentication requests Syntax show port access port list mac based config detail Shows all MAC Authentication settings including the Radius server specific settings for the specified ports ...

Page 74: ... difficulties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applied to the port...

Page 75: ...ntication Configuration 4 9 Viewing the Switch s Current TACACS Server Contact Configuration 4 10 Configuring the Switch s TACACS Authentication Methods 4 11 Configuring the Switch s TACACS Server Access 4 18 How Authentication Operates 4 23 General Authentication Process Using a TACACS Server 4 23 Local Authentication Process 4 25 Using the Encryption Key 4 26 Controlling Web Browser Interface Ac...

Page 76: ...gned in a TACACS server and 2 local passwords configured on the switch That is Feature Default Menu CLI Web view the switch s authentication configuration n a page 4 9 view the switch s TACACS server contact configuration n a page 4 10 configure the switch s authentication methods disabled page 4 11 configure the switch to contact TACACS server s disabled page 4 18 B ProCurve Switch Configured for...

Page 77: ... TACACS operation are communication server remote access server or terminal server These terms apply when TACACS is enabled on the switch that is when the switch is TACACS aware TACACS Server The server or management station configured as an access control server for TACACS enabled devices To use TACACS with the switch and any other TACACS capable devices in your network you must purchase install ...

Page 78: ...on local authentication refer to Configuring Username and Password Security on page 2 1 TACACS Authentication This method enables you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central se...

Page 79: ...ommends that you use a TACACS server application that supports a redundant backup installation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect Web browser interface access Refer to Controlling Web Browser Interface Access When Using TACACS Authentication on page 4 27 General Authentication Setup Proce...

Page 80: ...o the switch This includes the username password sets for logging in at the Operator read only privilege level and the sets for logging in at the Manager read write privilege level The IP address es of the TACACS server s youwanttheswitchtouse for authentication If you will use more than one server determine which server is your first choice for authentication services The encryption key if any fo...

Page 81: ...local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method Caution You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be available...

Page 82: ...ng data that could affect the console access 9 When you are confident that TACACS access through Telnet SSH and the switch s console operates properly use the write memory command to save the switch s running config file to flash memory Configuring TACACS on the Switch Before You Begin If you are new to TACACS authentication ProCurve recommends that you read the General Authentication Setup Proced...

Page 83: ...Syntax show authentication This example shows the default authentication configuration Figure 4 2 Example Listing of the Switch s Authentication Configuration Command Page show authentication 4 9 show tacacs 4 10 aaa authentication pages4 11through4 15 console telnet ssh num attempts 1 10 tacacs server pages 4 18 host ip addr pages 4 18 key 4 22 timeout 1 255 4 23 Configuration for login and enabl...

Page 84: ... TACACS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following Figure 4 3 Example of the Switch s TACACS Configuration Listing First Choice TACACS Server Second Choice TACACS Ser...

Page 85: ...access method for configuration enable login primary method backup method enable Configures enable privilege level read write access for the authentication method login Configures login privilege level read only access for the authentication method primary method The primary authentication method for access backup method The authentication method to use if the primary method is not able to check t...

Page 86: ...s with a password and other data configured on a TACACS server radius Authenticates with a password and other data configured on a RADIUS server local none authorized If the primary authentication method fails determines whether to use the local password as a secondary method to disallow access or to allow access without authenti cation aaa authentication num attempts 1 10 Specifies the maximum nu...

Page 87: ...ge level being configured tacacs Use a TACACS server radius Use a RADIUS server local or none or authorized none n a Specifies the secondary backup method for the access method being config ured local The username password pair configured locally in the switch for the privilege level being configured Cannot be used if the primary authentication is local none No secondary type of authentication for...

Page 88: ...ommended as it defeats the purpose of using the TACACS authentication If you want Enable Primary log in attempts to go to a TACACS server you should configure both Login Primary and Enable Primary for tacacs authentication Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console Login local none Local username password access only tacacs local If...

Page 89: ...word then requests the privilege level Operator or Manager that was configured on the TACACS server for this username Console Login Operator or Read Only Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication console login tacacs local Console Enable Manager or Read Write Access Primary using TACACS server Secondary using Local ProCurve config aaa authenticatio...

Page 90: ... to check some entries in the User Setup on the TACACS server In the User Setup scroll to the Advanced TACACS Settings section Make sure the radio button for Max Privilege for any AAA Client is checked and the level is set to 15 as shown in Figure 4 4 Privileges are represented by the numbers 0 through 15 with zero allowing only Operator privileges and requiring two logins and 15 representing root...

Page 91: ...Configuring TACACS on the Switch Check the Privilege level box and set the privilege level to 15 to allow root privileges This allows you to use the single login option Figure 4 5 The Shell Section of the TACACS Server User Setup ...

Page 92: ...cryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the switch ...

Page 93: ...keys If TACACS server X does not have an encryption key assigned for the switch then configuring either a global encryption key or a server specific key in the switch for server X will block authentication support from server X Syntax tacacs server host ip addr key key string Adds a TACACS server and optionally assigns a server specific encryption key no tacacs server host ip addr Removes a TACACS...

Page 94: ...server 2 When there is one TACACS serves already configured entering another server IP address makes that server the second choice backup TACACS server 3 When there are two TACACS servers already configured entering another server IP address makes that server the third choice backup TACACS server The above position assignments are fixed Thus if you remove one server and replace it with another the...

Page 95: ...lso assigned in the TACACS server s that the switch will access for authentication This option is subordinate to any per server encryption keys you assign and applies only to accessing TACACS servers for which you have not given the switch a per server key See the host ip addr key key string entry at the beginning of this table For more on the encryption key see Using the Encryption Key on page 4 ...

Page 96: ...cryption key if the same key applies to all TACACS servers the switch may use for authentication attempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 4 26 To configure north01 as a global encryption key ProCurve config tacacs server key north01 To configure north01 as a per...

Page 97: ... long the switch waits for a response to an authentication request from a TACACS server before either sending a new request to the next server in the switch s Server IP Address list or using the local authentication option For example to change the timeout period from 5 seconds the default to 3 seconds ProCurve config tacacs server timeout 3 How Authentication Operates General Authentication Proce...

Page 98: ...he TACACS server 3 After the server receives the username input the requesting terminal receives a password prompt from the server via the switch 4 When the requesting terminal responds to the prompt with a password the switch forwards it to the TACACS server and one of the following actions occurs If the username password pair received from the requesting terminal matches a username password pair...

Page 99: ...hich enables only local password configuration If the operator at the requesting terminal correctly enters the user name password pair for either access level access is granted Iftheusername passwordpairenteredattherequestingterminaldoes not match either username password pair previously configured locally in the switch access is denied In this case the terminal is again prompted to enter a userna...

Page 100: ...on then communication between the switch and the TACACS server will fail Thus on the TACACS server side you have a choice as to how to implement a key On the switch side it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server For information on how to configure a general or individual key in the TACACS server refer to the documentation you received ...

Page 101: ...host 10 28 227 87 key south10campus With both of the above keys configured in the switch the south10campus key overrides the north40campus key only when the switch tries to access the TACACS server having the 10 28 227 87 address Controlling Web Browser Interface Access When Using TACACS Authentication Configuring the switch for TACACS authentication does not affect Web browser interface access To...

Page 102: ...e first choice or only TACACS server Connecting to secondary Tacacs server The switch was not able to contact the first choice TACACS server and is now attempting to contact the next secondary TACACS server identified in the switch s tacacs server configuration Invalid password The system does not recognize the username or the password or both Depending on the authentication method tacacs or local...

Page 103: ... TACACS is not enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password without also setting a local Manager password does not protect the switch from manager level access by unauthor ized persons ...

Page 104: ...4 30 TACACS Authentication Configuring TACACS on the Switch ...

Page 105: ... s Global RADIUS Parameters 5 12 Local Authentication Process 5 16 Controlling Web Browser Interface Access When Using RADIUS Authentication 5 17 Commands Authorization 5 17 Enabling Authorization 5 18 Displaying Authorization Information 5 19 Configuring Commands Authorization on a RADIUS Server 5 19 Configuring RADIUS Accounting 5 25 Operating Rules for RADIUS Accounting 5 26 Steps for Configuri...

Page 106: ...ity for the follow ing types of primary password access to the ProCurve switch Serial port Console Telnet SSH Web Port Access Note The switch does not support RADIUS security for SNMP network manage ment access For information on blocking unauthorized access through the Web browser interface refer to Controlling Web Browser Interface Access When Using RADIUS Authentication on page 5 17 Accounting ...

Page 107: ...work Access Server In this case a ProCurve switch configured for RADIUS security operation RADIUS Remote Authentication Dial In User Service RADIUS Client The device that passes user information to designated RADIUS servers RADIUS Host See RADIUS server RADIUS Server A server running the RADIUS application you are using on your network This server receives user connection requests from the switch ...

Page 108: ...der in which they are listed by showradius page 5 32 If the first server does not respond the switch tries the next one and so on To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5 37 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access...

Page 109: ...he IP address es of the RADIUS server s you want to support the switch You can configure the switch for up to three RADIUS servers If you need to replace the default UDP destination port 1812 the switch uses for authentication requests to a specific RADIUS server select it before beginning the configuration process If you need to replace the default UDP destination port 1813 the switch uses for ac...

Page 110: ...y times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting This depends on how many RADIUS servers you have configured the switch to access Determine whether you want to bypass a RADIUS server that fails to respond to requests for service To shorten authentication time you can set a bypass period in the range of 1 to 1440 minutes for non responsiv...

Page 111: ...t for accounting requests default 1813 recommended Optional encryption key for use during authentication sessions with a RADIUS server This key overrides the global encryption key you can also configure on the switch and must match the encryption key used on the specified RADIUS server Default null 3 Configure the global RADIUS parameters Server Key This key must match the encryption key used on t...

Page 112: ...ing RADIUS Accounting on page 5 25 1 Configure Authentication for the Access Methods You Want RADIUS To Protect Thissectiondescribeshow toconfiguretheswitchfor RADIUSauthentication through the following access methods Console Either direct serial port connection or modem connection Telnet Inbound Telnet must be enabled the default SSH To employ RADIUS for SSH access you must first configure the sw...

Page 113: ...entication method for console Telnet SSH and or theWeb browser interface The default primary enable login authentication is local local none Provides options for secondary authentication default none Note that for console access secondary authenti cation must be local if primary access is not local This prevents you from being completely locked out of the switch in the event of a failure in other ...

Page 114: ...ation requests to the specified RADIUS server host If you do not use this option with the radius server host command the switch automatically assigns the default authentication port number The auth port number must match its server counterpart Default 1812 acct port port number Optional Changes the UDP destination port for account ing requests to the specified RADIUS server If you do not use this ...

Page 115: ...y of source0119 Figure 5 3 Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5 3 you would do the following Figure 5 4 Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on...

Page 116: ...th all RADIUS servers for which there is not a server specific key configured by radius server host ip address key key string This key is optional if you configure a server specific key for each RADIUS server entered in the switch Refer to 2 Configure the Switch To Access a RADIUS Server on page 5 10 Server timeout Defines the time period in seconds for authentica tion attempts If the timeout peri...

Page 117: ...he session due to input errors Default 3 Range 1 10 no radius server key global key string Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key Default Null dead time 1 1440 Optional Specifies the time ...

Page 118: ... authentication parameters Allow only two tries to correctly enter username and password Use the global encryption key to support the two servers that use the same key For this example assume that you did not configure these two servers with a server specific key Use a dead time of five minutes for a server that fails to respond to an authentication request Allow three seconds for request timeouts...

Page 119: ...e Local None SSH Radius None Radius None Web Auth ChapRadius MAC Auth ChapRadius ProCurve show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 3 Retransmit Attempts 2 Global Encryption Key My Global Key 1099 Auth Acct Server IP Addr Port Port Encryption Key 10 33 18 127 1812 1813 source0127 10 33 18 119 1812 1813 10 33 18 151 1812 1813 After two attempts failing d...

Page 120: ...ator at the requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level...

Page 121: ...on and authorization steps into one phase The user must be successfully authenticated before the RADIUS server will send authorization information from the user s profile to the Network Access Server NAS After user authentication has occurred the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user s session Changes in the user s authorization p...

Page 122: ...nd list and the command exception flag When an authenticated user enters a command on the switch the switch examines the list of com mandsdeliveredinthe RADIUSAccess Acceptpacketaswellasthecommand exception flag which indicates whether the user has permission to execute the commands in the list See Configuring the RADIUS Server on page 5 19 After the Access Accept packet is deliver the command lis...

Page 123: ... or denied execution by the user The commands are delimited by semi colons and must be between 1 and 249 characters in length Multiple instances of this attribute may be present in Access Accept packets A single instance may be present in Accounting Request packets HP Command Exception A flag that specifies whether the commands indicated by the HP Command String attribute are permitted or denied t...

Page 124: ...ticated user is allowed to execute all commands available on the switch Not present PermitList DenyOthers 0 Authenticated user can only execute aminimalsetofcommands thosethat are available by default to any user Commands List DenyList PermitOthers 1 Authenticated user may execute all commands except those in the Commands list Commands List PermitList DenyOthers 0 Authenticated user can execute on...

Page 125: ...teps 1 Create a dictionary file for example hp ini containing the HP VSA definitions as shown in the example below User Defined Vendor The Name and IETF vendor code and any VSAs MUST be unique One or more VSAs named max 255 Each named VSA requires a definition section Types are STRING INTEGER IPADDR The profile specifies usage IN for accounting OUT for authorization MULTI if more than a single ins...

Page 126: ... or removing vendors requires ACS services to be re started Please make sure regedit is not running as it can prevent registry backup restore operations Are you sure you want to proceed Y or N y Parsing hp ini for addition at UDV slot 0 Stopping any running services Creating backup of current config Adding Vendor HP added as RADIUS HP Done Checking new configuration New configuration OK Re startin...

Page 127: ...eswillappearinCiscoACSconfigurations forexample Interface Configuration Group Setup User Setup To enable the processing of the HP Command String VSA for RADIUS accounting 1 Select System Configuration 2 Select Logging 3 Select CSV RADIUS Accounting In the Select Columns to Log section add the HP Command String attribute to the Logged Attributes list 4 Select Submit 5 Select Network Configuration I...

Page 128: ...y dictionary hp to that location Open the existing dictionary file and add this entry INCLUDE dictionary hp 4 You can now use HP VSAs with other attributes when configuring user entries dictionary hp As posted to the list by User user_email Version Id dictionary hp v 1 0 2006 02 23 17 07 07 VENDOR Hp 11 HP Extensions ATTRIBUTE Hp Command String 2 string Hp ATTRIBUTE Hp Command Exception 3 integer ...

Page 129: ...unting services Network accounting Provides records containing the information listed below on clients directly connected to the switch and operating under Port Based Access Control 802 1X RADIUS Accounting Commands Page no radius server host ip address 5 28 acct port port number 5 28 key key string 5 28 no aaa accounting exec network system start stop stop only radius 5 31 no aaa accounting updat...

Page 130: ... with your RADIUS server Operating Rules for RADIUS Accounting You can configure up to three types of accounting to run simultane ously exec system and network RADIUS servers used for accounting are also used for authentication The switch must be configured to access at least one RADIUS server RADIUS servers are accessed in the order in which their IP addresses were configured in the switch Use sh...

Page 131: ...P address Optional a UDP destination port for authentication requests Otherwise the switch assigns the default UDP port 1812 recom mended Optional if you are also configuring the switch for RADIUS authentication and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig nating configure a server specific key This key overrides the global encryption...

Page 132: ...urposes IP address 10 33 18 151 A non default UDP port number of 1750 for accounting For this example assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings and that RADIUS is already configured as an authentication method for one or more types of access to the switch Telnet Console etc Syntax no radius server host ip address Adds ...

Page 133: ... if you want to collect accounting data when A system boot or reload occurs System accounting is turned on or off Note that there is no time span associated with using the system option It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs Network Use Network if you want to collect accounting information on 802 1X port based access us...

Page 134: ... 5 29 ignores start stop because the switch sends the accumulated data only when there is a reboot reload or accounting on off event Stop Only Send a stop record accounting notice at the end of the accounting session The notice includes the latest data the switch has collected for the requested accounting type Network Exec or System Do not wait for an acknowledgment Thesystemoption page5 29 always...

Page 135: ...an suppress accounting for an unknown user having no username To continue the example in figure 5 9 suppose that you wanted the switch to Send updates every 10 minutes on in progress accounting sessions Block accounting for unknown users no username Configuresexecandsystem accounting and controls Summarizes the switch s accounting configuration Exec and System accounting are active Assumes the swi...

Page 136: ...re 5 11 Example of General RADIUS Information from Show Radius Command Update Period Suppress Unknown User Syntax show radius host ip addr Shows general RADIUS configuration including the server IP addresses Optional form shows data for a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Co...

Page 137: ...5 33 RADIUS Authentication Authorization and Accounting Viewing RADIUS Statistics Figure 5 12 RADIUS Server Information From the Show Radius Host Command ...

Page 138: ...nting Request as well as a timeout Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses Bad Authenticators The number of RADIUS Accounting Response packets which contained invalid authenticators received...

Page 139: ...uthentication Displays the primary and secondary authentication meth ods configured for the Console Telnet Port Access 802 1X and SSH methods of accessing the switch Also displays the number of access attempts currently allowed in a session show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch s interactions with this server Requires prior use o...

Page 140: ...ADIUS Accounting Information for a Specific Server Syntax show accounting Lists configured accounting interval Empty User suppres sion status accounting types methods and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch...

Page 141: ...sses they are listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed second in the list Thus to move a server address up in the list you must delete it from the list ensure that the position to which you want to move it is vacant and then re enterit Forexample supposeyouhavea...

Page 142: ...rst highest position in the list 3 Re enter 10 10 10 003 Because the switch places a newly entered address in the highest available position this address becomes first in the list 4 Re enter 10 10 10 001 Because the only positionopen is the thirdposition this address becomes last in the list Figure 5 19 Example of New RADIUS Server Search Order Removes the 003 and 001 addresses from the RADIUS ser...

Page 143: ...iscorrectly configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions lis...

Page 144: ...5 40 RADIUS Authentication Authorization and Accounting Messages Related to RADIUS Operation ...

Page 145: ...for SSH Operation 6 9 1 Assign Local Login Operator and Enable Manager Password 6 9 2 Generate the Switch s Public and Private Key Pair 6 10 3 Provide the Switch s Public Key to Clients 6 12 4 Enable SSH on the Switch and Anticipate SSH Client Contact Behavior 6 15 5 Configure the Switch for SSH Authentication 6 18 6 Use an SSH Client To Access the Switch 6 22 Further Information on SSH Client Pub...

Page 146: ...uses one or more public keys from clients that must be stored on the switch Only a client with a private key that matches a stored public key can gain access to the switch The same private key can be stored on one or more clients Figure 6 1 Client Public Key Authentication Model Feature Default Menu CLI Web Generating a public private key pair on the switch No n a page 6 10 n a Using the switch s ...

Page 147: ...ding passwords stored locally on the switch or on a TACACS or RADIUS server However the client does not use a key to authenticate itself to the switch Figure 6 2 Switch User Authentication SSH on the ProCurve switches covered in this guide supports these data encryption methods 3DES 168 bit DES 56 bit Note The ProCurve switches covered in this guide use the RSA algorithm for internally generated k...

Page 148: ...r copying A private key generated by an SSH client applica tion is typically stored in a file on the client device and together with its public key counterpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Level...

Page 149: ...lic Key Formats Any client application you use for client public key authentication with the switch must have the capability export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Figure 6 3 Example of Public Key in PEM Encoded ASCII Format Common for SSHv2 Clients Steps for Configuring and Using SSH for Switch and Client Authentication For...

Page 150: ...er accessible to the switch and download the client public key file to the switch The client public key file can hold up to ten client keys This topic is covered under To Create a Client Public Key Text File on page 6 24 Switch Access Level Primary SSH Authentication Authenticate SwitchPublicKey to SSH Clients Authenticate Client Public Key to the Switch Primary Switch Password Authentication Seco...

Page 151: ... the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none If the primary authentication method is local the secondary method must be none Option B Primary Client public key authentication login public key page 6 22 Secondary none Note that ...

Page 152: ...h you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches On ProCurve switches that support stacking when stacking is enabled SSH provides security only between an SSH cl...

Page 153: ...ord with one command Syntax password manager operator all SSH Related Commands in This Section Page show ip ssh 6 17 show crypto client public key manager operator keylist str babble fingerprint 6 25 show crypto host public key babble fingerprint 6 14 show authentication 6 21 crypto key generate zeroize ssh rsa 6 11 ip ssh 6 16 filetransfer 6 16 port 1 65535 default 6 16 timeout 5 120 6 16 aaa aut...

Page 154: ...witch s public key in the file Refer to the documentation for your SSH client application The session key pair mentioned above is not visible on the switch It is a temporary internally generated pair used for a particular switch client ses sion and then discarded Notes When you generate a host key pair on the switch the switch places the key pair in flash memory and not in the running config file ...

Page 155: ... a public private key pair for the switch If a switch key pair already exists replaces it with a new key pair See the Note above crypto key zeroize ssh rsa Erases the switch s public private key pair and dis ables SSH operation show crypto host public key Displays switch s public key Displays the version 1 and version 2 views of the key babble Displays hashes of the switch s public key in phonetic...

Page 156: ...t match for PEM keys only the PEM encoded string itself must match Notes Zeroizing the switch s key automatically disables SSH sets ip ssh to no Thus if you zeroize the key and then generate a new key you must also re enable SSH with the ip ssh command before the switch can resume SSH operation 3 Provide the Switch s Public Key to Clients When an SSH client contacts the switch for the first time t...

Page 157: ...gure 6 5 2 Bring up the SSH client s known host file in a text editor such as Notepad as straight ASCII text and copy the switch s public key into the file 3 Ensure that there are no changes in breaks in the text string A public key must be an unbroken ASCII string Line breaks are not allowed Changes in the line breaks will corrupt the Key For example if you are using Windows Notepad ensure that W...

Page 158: ...e switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 6 7 on page 6 13 Phonetic hash Outputs the key as a relatively short series of ...

Page 159: ...ion of its public key for file storage and default display format 4 Enable SSH on the Switch and Anticipate SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to SSH clients Note Before enabling SSH on the switch you must generate the switc...

Page 160: ...e to pose undetected as the switch and learn the usernames and passwords controlling access to the switch You can remove this possibility by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This requires a knowledge of where your client stores public keys plus the knowledg...

Page 161: ...6 10 Example of Enabling IP SSH and Listing the SSH Configuration and Status port 1 65535 default The TCP port number for SSH connections default 22 Important See Note on Port Number on page 6 17 timeout 5 120 The SSH login timeout value default 120 seconds The switch uses these settings internally for transactions with clients See the Caution on page 6 18 Enables SSH on the switch Lists the curre...

Page 162: ...s Management and Configuration Guide To protect against unauthorized access to the serial port and the Clear button which removes local password protection keepphysical access to the switch restricted to authorized personnel 5 Configure the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch s public key by an SSH client However only Option B ...

Page 163: ...he client s public key into a public key file which can contain up to ten client public keys 3 Copy the public key file into a TFTP server accessible to the switch and download the file to the switch For more on these topics refer to Further Information on SSH Client Public Key Authentication on page 6 22 Syntax aaa authentication ssh login local tacacs radius local none Configures a password meth...

Page 164: ...to the switch For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client Keys pub For Manager level enable access for successful SSH clients you want to use TACACS for primary password authentication and local for secondary password authenti cation with a Manager username of 1eader and a password of m0ns00n To set up this operation yo...

Page 165: ...nd password Configures the switch to allow SSH access only a client whose public key matchesoneofthe keys in the public key file Configures the primary and secondary password methods for Manager enable access Becomes available after SSH access is granted Copies a public key file named Client Keys pub into the switch Lists the current SSH authentication configuration Shows the contents of the publi...

Page 166: ...blic keys for authenticating clients This requires storing an ASCII version of each client s public key without babble conversion or fingerprint conversion in a client public key file that you create and TFTP copy to the switch In this case only clients that have a private key corresponding to one of the stored public keys can gain access to the switch using SSH That is if you use this feature onl...

Page 167: ...o the client 5 The client uses its private key to decrypt the byte sequence 6 The client then a Combines the decrypted byte sequence with specific session data b Uses a secure hash algorithm to create a hash version of this informa tion c Returns the hash version to the switch 7 The switch computes its own hash version of the data in step 6 and compares it to the client s hash version If they matc...

Page 168: ...Refer to the documentation provided with your SSH client application for details The switch supports the following client public key properties Bit Size Exponent e Modulus n Comment Property Supported Value Comments Key Format ASCII See figure 6 7 on page 6 13 The key must be one unbroken ASCII string If you add more than one client public key to a file terminate each key except the last one with ...

Page 169: ...ublic keys in the file except the last one with a CR LF Note on Public Keys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key Although you can manually add or edit any comments the client application adds to the end of the key such as the smith fellow at the end of the key in figure 6 13 on page 6 24 Syntax copy tftp pub ke...

Page 170: ...tartup config file reset the switch or reboot the switch You can remove the existing client public key file or specific keys by executing the clear crypto public key command Syntax clear crypto client public key Deletes the client public key file from the switch Syntax clear crypto client public key 3 Deletes the entry with an index of 3 from the client public key file on the switch The keylist st...

Page 171: ...ch in the switch s client public key file allow the client access if the user can enter the switch s login Operator password If the switch does not have an Operator password then deny access to that client Caution To configure client public key authentication to block SSH clients whose public keys are not in the client public key file you must configure the Login Secondary as none Otherwise the sw...

Page 172: ...mber See Note on Port Number on page 6 17 Client public key file corrupt or not found Use copy tftp pub key file ip addr filename to down load new file The client key does not exist in the switch Use copy tftp to download the key from a TFTP server Download failed overlength key in key file Download failed too many keys in key file Download failed one or more keys is not a valid public key The pub...

Page 173: ...es After you execute the crypto key generate ssh rsa command the switch displays this message while it is generating the key Host RSA key file corrupt or not found Use crypto key generate ssh rsa to create new host key The switch s key is missing or corrupt Use the crypto key generate ssh rsa command to generate a new key for the switch Message Meaning ...

Page 174: ...6 30 Configuring Secure Shell SSH Messages Related to SSH Operation ...

Page 175: ...nfiguring and Using SSL for Switch and Client Authentication 7 5 General Operating Rules and Notes 7 6 1 Assign Local Login Operator and Enable Manager Password 7 7 2 Generate the Switch s Server Host Certificate 7 8 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior 7 17 Common Errors in SSL Setup 7 21 ...

Page 176: ...uthentication Note SSL in ProCurve switches is based on the OpenSSL software toolkit For more information on OpenSSL visit http www openssl com Server Certificate authentication with User Password Authentication This option is a subset of full certificate authentication of the user and host It occurs only if the switch has SSL enabled As in figure 7 1 the switch authenticates itself to SSL enabled...

Page 177: ...p part of server host certificate and private portion is stored in switch flash not user accessible Digital Certificate A certificate is an electronic passport that is used to establish the credentials of the subject to which the certificate was issued Information contained within the certificate includes name of the subject serial number date of validity subject s public key and the digital signa...

Page 178: ... signed certificates Trusted certificates are distributed as an integral part of most popular web clients see browser documentation for which root certificates are pre installed Manager Level Manager privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level password configured in the switch SSL Enabled 1 A certificate key...

Page 179: ...tionality See the browser documentation for addi tional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 7 7 2 Generate a host certificate on the switch page 7 8 i Generate certificate key pair ii Generate host certificate You need to do this only once The switch s own public private certificate key pair and certificate are stored in the switch ...

Page 180: ...ty breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config command The public private certificate key pair is not be confused with the SSH public private key pair The certificate key pair and the SSH key pair are independent of each other which means a switch can have two keys ...

Page 181: ...ast a Manager password to the switch Otherwise under some circumstances anyone with Telnet web or serial port access could modify the switch s configuration SSL Related CLI Commands in This Section Page web management ssl page 7 19 show config page 7 19 show crypto host cert page 7 12 crypto key generate cert rsa 512 768 1024 page 7 10 zeroize cert page 7 10 crypto host cert generate self signed a...

Page 182: ...ice passwords button 2 Click in the appropriate box in the Device Passwords window and enter user names and passwords You will be required to repeat the password strings in the confirmation boxes Both the user names and passwords can be up to 16 printable ASCII characters 3 Click on Apply Changes button to activate the user names and pass words 2 Generate the Switch s Server Host Certificate You m...

Page 183: ...ty signed certificate which is digitally signed by a certificate authority has an audit trail to a root CA certificate and can be verified unequivocally Note There is usually a fee associated with receiving a verified certificate and the valid dates are limited by the root certificate authority issuing the certificate When you generate a certificate key pair and or certificate on the switch the sw...

Page 184: ...st cert generate self signed Arg List command Note When generating a self signed host certificate on the CLI if there is not certificate key generated this command will fail Comments on Certificate Fields There are a number arguments used in the generation of a server certificate table 7 1 Certificate Field Descriptions describes these arguments Syntax crypto key generate cert rsa 512 768 1024 Gen...

Page 185: ...begin using the SSL functionality Valid End Date This can be any future date however good security practices would suggest a valid duration of about one year between updates of passwords and keys Common name This should be the IP address or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switc...

Page 186: ...o host cert command Generate a Self Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface For more information on how to access the web browser interface refer to the chapter titled Using the Web Browser Interface in the Management and Configuration Guide for your switch To generate a self signed host certificate from the web browser interface ...

Page 187: ... button iii Select Self Signed in the Certificate Type drop down list iv Select the RSA Key Size desired If you want to re use the current certificate key select Current from this list v Fill in the remaining certificate arguments Refer to Comments on Certificate Fields on page 7 10 vi Click on the Apply Changes button to generate new certificate and key if selected Note When generating a self sig...

Page 188: ...eb browsers inter face Figure 7 5 Self Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface 1 Select the Security tab 2 Select the SSL button Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments ...

Page 189: ...ormation on how to access the web browser interface refer to the chapter titled Using the Web Browser Inter face in the Management and Configuration Guide for your switch The installation of a CA signed certificate involves interaction with other entities and consists of three phases The first phase is the creation of the CA certificate request which is then copied off from the switch for submissi...

Page 190: ...ist iv Select the key size from the RSA Key Size drop down list If you want to re use the current certificate key select Current from this list v Fill in the remaining certificate arguments Refer to Comments on Certificate Fields on page 7 10 vi Click on Apply Changes to create the certificate request A new web browser page appears consisting of two text boxes The switchuses the upper text box for...

Page 191: ...st Certificate Request Reply BEGIN CERTIFICATE MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93...

Page 192: ...ate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequivocally As long as you are confident that an unauthorized device is not using the switch s IP address in an attempt to gain access to your data or network you can accept the connection Note When an SSL client connects to the switch for the first time it is possible fo...

Page 193: ...SL To enable SSL on the switch i Proceed to the Security tab then the SSL button ii Select SSL Enable to On and enter the TCP port you desire to connect on iii Click on the Apply Changes button to enable SSL on the port To disable SSL on the switch do either of the following i Proceed to the Security tab then the SSL button ii Select SSL Enable to Off iii Click on the Apply Changes button to enabl...

Page 194: ...Caution SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides you may want to disable Telnet access no telnet If you need to increase SNMP security use SNMP version 3 only for SNMP access Another security measure is to use the A...

Page 195: ...eb browser interface You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the Web browser interface on page 7 12 You may be using a reserved TCP port Refer to Note on Port Number on page 7 20 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior on page 7 17 Your browser may...

Page 196: ...7 22 Configuring Secure Socket Layer SSL Common Errors in SSL Setup ...

Page 197: ...s Before You Configure 802 1X Operation 8 14 Overview Configuring 802 1X Authentication on the Switch 8 15 Configuring Switch Ports as 802 1X Authenticators 8 17 1 Enable 802 1X Authentication on Selected Ports 8 17 2 Reconfigure Settings for Port Access 8 20 3 Configure the 802 1X Authentication Method 8 23 4 Enter the RADIUS Host IP Address es 8 24 5 Enable 802 1X Authentication on the Switch 8 ...

Page 198: ...llow Only 802 1X Devices 8 40 Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches 8 42 Displaying 802 1X Configuration Statistics and Counters 8 47 Show Commands for Port Access Authenticator 8 47 Viewing 802 1X Open VLAN Mode Status 8 50 Show Commands for Port Access Supplicant 8 53 How RADIUS 802 1X Authentication Affects VLAN Operation 8 54 Messages Relat...

Page 199: ...e ProCurve switches covered in this manual includes the follow ing Switch operation as both an authenticator for supplicants having a point to point connection to the switch and as a supplicant for point to point connections to other 802 1X aware switches Authentication of 802 1X clients using a RADIUS server and either the EAP Extensible Authentication Protocol or CHAP Challenge Hand shake Authen...

Page 200: ...interval Use of Show commands to display session counters User Authentication Methods The switch offers two methods for using 802 1X access control Generally the Port Based method supports one 802 1X authenticated client on a port which opens the port to an unlimited number of clients The Client Based method supports up to two 802 1X authenticated clients on a port In both cases there are operatin...

Page 201: ...ly authenticates The most recent client authentication determines the untagged VLAN membership for the port Also any client able to use the port can access any tagged VLAN memberships statically configured on the port provided the client is configured to use the available tagged VLAN memberships If the first client authenticates and opens the port and then one or more other clients connect without...

Page 202: ...wnloading 802 1X Supplicant Software For clients that do not have the necessary 802 1X supplicant software there is also the option to configure the 802 1X Open VLAN mode This mode allows you to assign such clients to an isolated VLAN through which you can provide the necessary supplicant software these clients need to begin the authentication process Refer to 802 1X Open VLAN Mode on page 8 26 Au...

Page 203: ...uch clients use the same untagged port based VLAN membership Authentication Server The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator In the case of a switch running 802 1X this is a RADIUS server unless local authentication is used in which case the switch performs this function using its own username and password for authenti...

Page 204: ...ces Tagged Membership in a VLAN This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously If a client connected to the port has an operating system that supports 802 1Q VLAN tagging then the client can access VLANs for which the port is a tagged member If the client does not support VLAN tagging then it can access only a VLAN for which the port is an untagged membe...

Page 205: ... there is no authenticated client already using the port Untagged Membership in a VLAN A port can be an untagged member of only one VLAN In the factory default configuration all ports on the switch are untagged members of the default VLAN An untagged VLAN membership is required for a client that does not support 802 1q VLAN tagging A port can simultaneously have one untagged VLAN membership and mu...

Page 206: ...e switch responds with an identity request 3 The client responds with a user name that uniquely defines this request for the client 4 The switch responds in one of the following ways If 802 1X port access on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the clien...

Page 207: ...r if the ports are already connected and either switch reboots port A1 begins sending start packets to port B5 on switch B If after the supplicant port sends the configured number of start packets it does not receive a response it assumes that switch B is not 802 1X aware and transitions to the authenticated state If switch B is operating properly and is not 802 1X aware then the link should begin...

Page 208: ...s allowed Multicast and broadcast traffic is allowed on the port Unicast traffic to authenticated clients on the port is allowed All traffic from authenticated clients on the port is allowed When a port on the switch is configured as either an authenticator or supplicant and is connected to another device rebooting the switch causes a re authentication of the link Using client based 802 1X authent...

Page 209: ...igure the port for 802 1X authenticator operation the port will block the client from further network access until it can be authenticated On a port configured for 802 1X with RADIUS authentication if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member the port will be blocked If the port is later removed from the trunk the port will try to authenticate the supplic...

Page 210: ...802 1X Open VLAN mode for clients that are not 802 1X aware that is for clients that are not running 802 1X supplicant software This will require you to provide download able software that the client can use to enable an authentication session For more on this topic refer to 802 1X Open VLAN Mode on page 8 26 5 For each port you want to operate as a supplicant determine a username and password pai...

Page 211: ...hat they can initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 8 26 3 Configure the 802 1X authentication type Options include Local Operator username and password the default This option allows a client to use the switch s local username and password as valid 802 1X credentials for network access EAP RADIUS This option...

Page 212: ... for 802 1X operation and if desired the action to take if an unauthorized device attempts access through an 802 1X port See page 8 40 8 If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802 1X authenticator on another device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connectio...

Page 213: ...en you enable 802 1X authentication on a port the switch automatically disables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can config ure it for 802 1X authentication 802 1X Authentication Commands Page no aaa port access authenticator ethernet port list 8 17 control quiet period tx period client limit supplicant t...

Page 214: ...tion from port list To activate configured 802 1X operation you must enable 802 1X authentication Refer to 5 Enable 802 1X Authentication on the switch on page 8 15 Syntax aaa port access authenticator client limit port list 1 2 Used after executing aaa port access authenticator port list above to convert authentication from port based to client based Specifies client based 802 1X authentication a...

Page 215: ...from client based authentication to port based authentication which is the default setting for ports on which authentication is enabled Executing aaa port access authenticator port list enables 802 1X authenti cation on port list and enables port based authentica tion page 8 17 If a port currently has no authenticated client sessions the next authenticated client session the port accepts determine...

Page 216: ... to provide 802 1X credentials or support 802 1X authentication You can still configure console Telnet or SSH security on the port auto the default The device connected to the port must support 802 1X authentication and provide valid credentials to get network access Optional You can use the Open VLAN mode to provide a path for clients without 802 1X supplicant software to down load this software ...

Page 217: ...erver response to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication attempts that must time out...

Page 218: ...d of time the switch waits for client activity before removing an inactive client from the port Default 300 seconds auth vid vid Configures an existing static VLAN to be the Autho rized Client VLAN Refer to 802 1X Open VLAN Mode on page 8 26 initialize On the specified ports blocks inbound and outbound traffic and restarts the 802 1X authentication process This happens only on ports configured wit...

Page 219: ... more EAP capable RADIUS servers Figure 8 5 Example of 802 1X Port Access Authentication Syntax aaa authentication port access local eap radius chap radius Determines the type of RADIUS authentication to use local Use the switch s local username and password for supplicant authentication eap radius Use EAP RADIUS authentication Refer to the documentation for your RADIUS server chap radius Use CHAP...

Page 220: ...vate it with this command Syntax radius host ip address Adds a server to the RADIUS configuration key server specific key string Optional Specifies an encryption key for use during authentication or accounting sessions with the spec ified server This key must match the key used on the RADIUS server Use this option only if the specified server requires a different key than configured for the global...

Page 221: ...stics on specific ports Syntax aaa port access authenticator port list initialize On the specified ports blocks inbound and outbound traffic and restarts the 802 1X authentication process This happens only on ports configured with controlauto and actively operating as 802 1X authenticators reauthenticate On the specified ports forces reauthentication unless the authenticator is in HELD state clear...

Page 222: ...t could not access the network This prevented the client from Acquiring IP addressing from a DHCP server Downloading the 802 1X supplicant software necessary for an authen tication session The 802 1X Open VLAN mode solves this problem by temporarily suspending the port s static tagged and untagged VLAN memberships and placing the port in a designated Unauthorized Client VLAN In this state the clie...

Page 223: ...he untagged VLAN membership for that port Clients that connect without trying to authenticate will have access to the untagged VLAN mem bership that is currently assigned to the port VLAN Membership Priorities Following client authentication an 802 1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration The port also becomes an untagged member of...

Page 224: ... per port 802 1X Open VLAN mode authentication Unauthorized Client VLAN Configure this VLAN when unauthen ticated friendly clientswillneed accesstosomeservicesbefore being authenticated Authorized Client VLAN Configure this VLAN for authenticated clients when the port is not statically configured as an untagged member of a VLAN you want clients to use or when the port is statically configured as a...

Page 225: ... blocked while the port is a member of the Unauthorized Client VLAN Authorized Client VLAN After the client is authenticated the port drops membership in the Unauthorized Client VLAN and becomes an untagged member of this VLAN Note if RADIUS authentication assigns a VLAN the port temporarily becomes a member of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is conn...

Page 226: ...of another VLAN the port s access to this other VLAN is restored Note If RADIUS authentication assigns a VLAN to the port this assignment overrides any statically configured untagged VLAN membership on the port while the client is connected If the port is statically configured as a tagged member of a VLAN that is not used by 802 1X Open VLAN mode the port returns to tagged membership in this VLAN ...

Page 227: ...ip in that VLAN Table 8 1 802 1X Open VLAN Mode Options 802 1X Per Port Configuration Port Response Condition Rule Static VLANs used as Authorized Client or Unauthorized Client VLANs These must be configured on the switch before you configure an 802 1X authenticator port to use them Use the vlan vlan id command or the VLAN Menu screen in the Menu interface VLAN Assignment Received from a RADIUS Se...

Page 228: ...uthorized Client VLAN also untagged While the Authorized Client VLAN is in use the port does not have access to the statically configured untagged VLAN Whentheauthenticatedclientdisconnects theswitchremovesthe port from the Authorized Client VLAN and moves it back to the untagged membership in the statically configured VLAN After client authentication the port resumes any tagged VLAN memberships f...

Page 229: ... VLAN regardless ofotherfactors This meansthata client without802 1X client authentication software cannot access a configured Unauthenticated Client VLAN if another authenticated client is already using the port Note Limitation on Using an Unauthorized Client VLAN on an 802 1X Port Configured to Allow Multiple Client Access You can optionally enable switches to allow up to 2 clients per port The ...

Page 230: ...d client Statically configure an Authorized Client VLAN in the switch The only ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients 802 1X authen ticator ports do not have to be members of this VLAN Note that if an 802 1X authenticator port is an untagged member of another VLAN the port s access to that other VLAN will be temporar...

Page 231: ...pplicant software that supports the use of local switch passwords Caution Ensure that you do not introduce a security risk by allowing Unauthorized Client VLAN access to network services or resources that could be compro mised by an unauthorized client Configuring General 802 1X Operation These steps enable 802 1X authentication and must be done before configuring 802 1X VLAN operation 1 Enable 80...

Page 232: ...sUse EAP RADIUS authentication Refer to the documentation for your RADIUS server chap radiusUse CHAP RADIUS MD5 authentication Refer to the documentation for your RADIUS server software Syntax radius host ip address Adds a server to the RADIUS configuration key server specific key string Optional Specifies an encryption key for use with the specified server This key must match the key used on the ...

Page 233: ...nt to configure 802 1X port access with Open VLAN mode on ports A10 A20 and These two static VLANs already exist on the switch Unauthorized VID 80 Authorized VID 81 Your RADIUS server has an IP address of 10 28 127 101 The server uses rad4all as a server specific key string The server is connected to a port on the Default VLAN The switch s default VLAN is already configured with an IP address of 1...

Page 234: ...ces that must be protected from unauthenticated clients If a port is configured as a tagged member of VLAN X that is not used as an Unauthorized Client Authorized Client or RADIUS assigned VLAN then the port returns to tagged membership in VLAN X upon successful client authentication This happens even if the RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VL...

Page 235: ... Authorized Client VLAN configured then the RADIUS assignment overrides any untagged VLAN for which the port is statically configured If the only authenticated client on a port loses authentication during a session in 802 1X Open VLAN mode the port VLAN membership reverts back to the Unauthorized Client VLAN If there is no Unauthorized Client VLAN configured then the client loses access to the por...

Page 236: ...ort Note Port Security operates with 802 1X authentication as described above only if the selected ports are configured as 802 1X that is with the control mode in the port access authenticator command set to auto For example to configure port A10 for 802 1X authenticator operation and display the result ProCurve config aaa port access authenticator e A10 control auto ProCurve config show port acce...

Page 237: ...he port but set to authorized Force Authorized use this command syntax to allow only an 802 1X aware device Not e If 802 1X port access is configured on a given port then port security learn mode for that port must be set to either continuous the default or port access In addition to the above to use port security on an authenticator port use the per port client limit option to control how many MA...

Page 238: ... two switches where Syntax aaa port access auth port list client limit 1 8 Configures client based 802 1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn For more on this command refer to Configuring Switch Ports as 802 1X Authenticators on page 8 17 Or no aaa port access auth port list client limit Configures port based 802 1X authen...

Page 239: ...ning normally but without 802 1X security If after sending one or more start request packets port A1 receives a request packet from port B5 then switch B is operating as an 802 1X authenticator The supplicant port then sends a response ID packet If switch B is configured for RADIUS authentication it forwards this request to a RADIUS server If switch B is configured for Local 802 1X authentication ...

Page 240: ...want to configure If the intended authenticator port uses RADIUS authentication then use the identity and secret options to configure the RADIUS expected username and password on the supplicant port If the intended authenticator port uses Local 802 1X authentication then use the identity and secret options to configure the authenticator switch s local username and password on the supplicant port S...

Page 241: ...ecret password Repeat secret password Sets the secret password to be used by the port suppli cant when an MD5 authentication request is received from an authenticator The switch prompts you to enter the secret password after the command is invoked aaa port access supplicant ethernet port list auth timeout 1 300 Sets the period of time the port waits to receive a challenge from the authenticator If...

Page 242: ...t period for a response If no response comes during the start period the supplicant sends a new start packet The max start setting above specifies how many start attempts are allowed in the session Default 30 seconds aaa port access supplicant ethernet port list initialize On the specified ports blocks inbound and outbound traffic and restarts the 802 1X authentication process Affects only ports c...

Page 243: ...on counters displays whether port access authenticator is active Yes or No and the status of all ports configured for 802 1X authentication The Authenticator Backend State in this data refers to the switch s interaction with the authentication server With port list only same as above but limits port status to only the specified port Does not display data for a specified port that is not enabled as...

Page 244: ...er port access authenticator is active The statistics of the ports configured as 802 1X authenticators including the supplicant s MAC address as determined by the content of the last EAPOL frame received on the port Does not display data for a specified port that is not enabled as an authenticator session counters e port list Shows Whether port access authenticator is active The session status on ...

Page 245: ...her it meets 802 1X criteria Unauthorized Network access is blocked to any device connected to the port regardless of whether the device meets 802 1X criteria Max reqs Number of authentication attempts that must time out before authentication fails and the authentication session ends Quiet Period Period of time in seconds during which the port does not try to acquire a supplicant TX Timeout Period...

Page 246: ...h VLAN ID is configured and matches the Current VLAN ID in the above command output an authenticated client is connected to the port This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN An Unauth VLAN ID appearing in the Current VLAN ID column for the same port indicates an unauthenticated client is connected to this port Assumes that the port is not ...

Page 247: ...res the port to allow network access to any connected device that supports 802 1X authentication and provides valid 802 1X credentials This is the default authenticator setting FA Configures the port for Force Authorized which allows access to any device connected to the port regardless of whether it meets 802 1X criteria You can still configure console Telnet or SSH security on the port FU Config...

Page 248: ...ed port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Table 8 3 Open VLAN Mode Status Status Indicator Meaning Syntax show vlan vlan id Displays the port status for the selected VLAN including an indication of which port memberships have been temporarily overridden by Open VLAN mode Note ...

Page 249: ...ction statistics it most recently received until one of the above events occurs Also if you move a link with an authenticator from one Syntax show port access supplicant e port list statistics show port access supplicant e port list Shows the port access supplicant configuration excluding the secret parameter for all ports or port list ports configured on the switch as supplicants The Supplicant S...

Page 250: ...t does not exist or is a dynamic VLAN created by GVRP authentication fails Also for the session to proceed the port must be an untagged member of the required VLAN If it is not the switch temporarily reassigns the port as described below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not alrea...

Page 251: ...t that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLAN on any port You can use the show vlan vlan id command to view this temporary change to the active configuration as shown below You can see the temporary VLAN assignment ...

Page 252: ...emporarily Drops Port 22 for the 802 1X Session This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802 1X session This is to accommodate an 802 1X client s access authenticated by a RADIUS server where the server included an instruction to put the client s access on VLAN 22 Note With the current VLAN configuration figure 8 10 the only time port A2 appears in this show vlan 22 ...

Page 253: ...e 802 1X Session Ends Notes Any port VLAN ID changes you make on 802 1X aware ports during an 802 1X authenticated session do not take effect until the session ends With GVRP enabled a temporary untagged static VLAN assignment created on a port by 802 1X authentication is advertised as an existing VLAN If this temporary VLAN assignment causes the switch to disable a configured untagged static VLAN...

Page 254: ...t on page 8 44 No server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page...

Page 255: ...ween MAC Lockdown and Port Security 9 19 Deploying MAC Lockdown 9 21 MAC Lockout 9 25 Port Security and MAC Lockout 9 27 Web Displaying and Configuring Port Security Features 9 28 Reading Intrusion Alerts and Resetting Alert Flags 9 28 Notice of Security Violations 9 28 How the Intrusion Log Operates 9 29 Keeping the Intrusion Log Current by Resetting Alert Flags 9 30 Using the Event Log To Find I...

Page 256: ...and log attempts by unauthorized devices to communicate through the switch Note This feature does not prevent intruders from receiving broadcast and multi cast traffic Basic Operation Default Port Security Operation The default port security setting for each port is off or continuous That is any device can access a port without causing a security reaction Intruder Protection A port that detects an...

Page 257: ...allowed to send inbound traffic through the port This feature Closes the port to inbound traffic from any unauthorized devices that are connected to the port Provides the option for sending an SNMP trap notifying of an attempted security violation to a network management station and optionally disables the port For more on configuring the switch for SNMP management refer to Trap Receivers and Auth...

Page 258: ...ion Ports configured for either Active or Passive LACP and which are not members of a trunk can be configured for port security Switch A Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A PC 2 MAC Address NOT Authorized by Switch A PC 3 MAC Address NOT Authorized by Switch A Switch C MAC Address NOT Authorized by Switch A Switch A Port Secu...

Page 259: ...t detects or not d For each port what security actions do you want The switch automatically blocks intruders detected on that port from transmit ting to the network You can configure the switch to 1 send intrusion alarms to an SNMP management station and to 2 option ally disable the port on which the intrusion was detected e How do you want to learn of the security violation attempts the switch de...

Page 260: ...is section describes the CLI port security command and how the switch acquires and maintains authorized addresses Note Use the global configuration level to execute port security configuration commands show port security 9 11 port security 9 12 ethernet port list 9 12 learn mode 9 12 address limit 9 12 mac address 9 12 action 9 12 clear intrusion flag 9 12 no port security 9 12 ...

Page 261: ...d address limit That is if you enter fewer MAC addresses than you authorized the port fills the remainder of the address allowance with MAC addresses it automatically learns For example if you specify three authorized devices but enter only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses ...

Page 262: ...ent Based Access Control 802 1X on page 8 1 address limit integer When Learn Mode is set to static static learn or configured static configured this parameter specifies the number of authorized devices MAC addresses to allow Default 1 Range 1 to 8 mac address mac addr Available for static static learn and configured learn modes Allows up to eight authorized devices MAC addresses per port depending...

Page 263: ... alarm Causes the switch to send an SNMP trap to a network management station send disable Available only with learn mode configured and learn mode static Causes the switch to send an SNMP trap to a network management station and disable the port If you subsequently re enable the port without clearing the port s intrusion flag the port will block further intruders but the switch will not disable t...

Page 264: ...the startup config file to match the running config file Assigned Authorized MAC Addresses If you manually assign a MAC address using mac address mac addr and then execute write memory the assigned MAC address remains in memory unless removed by one of the methods described below Removing Learned and Assigned Static MAC Addresses To remove a static MAC address do one of the following Delete the ad...

Page 265: ... security displays operating control settings for all ports on a switch For example Figure 9 2 Example Port Security Listing Ports A7 and A8 Show the Default Setting Withportnumbersincludedinthecommand showport securitydisplaysLearn Mode Address Limit alarm Action and Authorized Addresses for the spec ified ports on a switch The following example lists the full port security configuration for a si...

Page 266: ...mac addr mac addr action none send alarm send disable clear intrusion flag For the configured option above refer to the Note on page 9 6 no port security port list mac address mac addr mac addr mac addr Specifying Authorized Devices and Intrusion Responses Learn Mode Static This example configures port A1 to automatically accept the first device MAC address it detects as the only authorized device...

Page 267: ...ort to static Learn Mode restores the configured device authorization Learn Mode Configured This option allows only MAC addresses specifi cally configured with learn mode configured mac address mac address and does not automatically learn non specified MAC addresses learned from the network This example configures port A1 to Allow only a MAC address of 0c0090 123456 as the authorized device Reserv...

Page 268: ... the following command adds the 0c0090 456456 MAC address as the second authorized address ProCurve config port security a1 mac address 0c0090 456456 After executing the above command the security configuration for port A1 appears as Figure 9 5 Example of Adding a Second Authorized Device to a Port The Address Limit has not been reached Although the Address Limit is set to 2 only one device has be...

Page 269: ...t increase the Address Limit in order to add the device even if you want to replace one device with another Using the CLI you can simultaneously increase the limit and add the MAC address with a single command For example suppose port A1 allows one authorized device and already has a device listed Figure 9 6 Example of Port Security on Port A1 with an Address Limit of 1 Toadda secondauthorizeddevi...

Page 270: ...t and when the current number of devices equals the Address Limit value you should first reduce the Address Limit value by 1 then remove the unwanted device Note When you have configured the switch for learn mode static operation you can reduce the address limit below the number of currently authorized addresses on a port This enables you to subsequently remove a device from the Autho rized list w...

Page 271: ...o 1 ProCurve config port security a1 address limit 1 ProCurve config no port security a1 mac address 0c0090 123456 The above command sequence results in the following configuration for port A1 Figure 9 8 Example of Port A1 After Removing One MAC Address ProCurve config show port security 1 Port Security Port 1 Learn Mode Static Address Limit 1 Action None Authorized Addresses 0c0090 456456 ...

Page 272: ...n a pair with a VLAN all information sent to that MAC address must go through the locked down port If the device is moved to another port it cannot receive data Traffic to the designated MAC address goes only to the allowed port whether the device is connected to it or not MAC Lockdown is useful for preventing an intruder from hijacking a MAC address from a known user in order to steal data Withou...

Page 273: ...at if the device moves to a distant part of the network where data sent to its MAC address never goes through the locked down switch it may be possible for the device to have full two way communication For full and complete lockdown network wide all switches must be configured appropriately Other Useful Information Once you lock down a MAC address VLAN pair on one port that pair cannot be locked d...

Page 274: ... used on another port on the same switch The switch does not allow MAC Lockdown and port security on the same port MAC Lockdown Operating Notes Limits There is a limit of 500 MAC Lockdowns that you can safely code per switch To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch In reality few network administrators ...

Page 275: ...prevent the log file from becoming too full You can also configure the switch to send the same messages to a Syslog server Refer to Debug and Syslog Messaging Operation in appendix C of the Management and Configuration Guide for your switch Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security In some cases where you...

Page 276: ...You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the edge switches That way users on the edge can still use other network resources but they cannot spoof Server A and hijack data traffic which is intended for that server alone 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch Inter...

Page 277: ...ge any traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect agains...

Page 278: ...the above figure would defeat the purpose of using STP or having an alternate path Technologies such as STP are primarily intended for an internal campus network environment in which all users are trusted STP does not work well with MAC Lockdown If you deploy MAC Lockdown as shown in the Model Topology in figure 9 9 page 9 22 you should have no problems with either security or connectivity M i x e...

Page 279: ...lemented on a per switch assignment You can think of MAC Lockout as a simple blacklist The MAC address is locked out on the switch and on all VLANs No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout The number of MAC lockouts allowed per VLAN depends on the number of VLANs you have configured as shown below Table 9 1 Number of MAC Lockouts with VLANS To fully loc...

Page 280: ...ll ports MAC Lockout overrides MAC Lockdown port security and 802 1X authenti cation You cannot use MAC Lockout to lock Broadcast or Multicast Addresses Switches do not learn these Switch Agents The switch s own MAC Address If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file Lockout logging format W 10 30 03 21 35 15 maclock module...

Page 281: ...careful if you use both together however If a MAC Address is locked out and appears in a static learn table in port security the apparently authorized address will still be locked out anyway MACentryconfigurationssetbyportsecurity willbe keptevenifMAC Lockout is configured and the original port security settings will be honored once the Lockout is removed A port security static address is permitte...

Page 282: ...for that port and makes the intrusion information available as described below While the switch can detect additional intrusions for the same port it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset When a security violation occurs on a port configured for Port Security the switch responds in the following ways to n...

Page 283: ...l you acknowledge the earlier intrusion event by reset ting the alert flag The Intrusion Log lists the 20 most recently detected security violation attempts regardless of whether the alert flags for these attempts have been reset This gives you a history of past intrusion attempts Thus for example if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1...

Page 284: ... the port s alert flag and disables the port If you re enable the port without resetting the port s alert flag then the port operates as follows The port comes up and will block traffic from unauthorized devices it detects If the port detects another intruder it will send another SNMP trap but will not become disabled again unless you first reset the port s intrusion flag This operation enables th...

Page 285: ...ledged reset This is indicated by the following Because the Port Status screen figure 9 14 on page 9 31 does not indicate an intrusion for port A1 the alert flag for the intru sion on port A1 has already been reset Since the switch can show only one uncleared intrusion per port the older intrusion for port A3 in this example has also been previously reset The Intrusion Alert column shows Yes for a...

Page 286: ...on on this port type R for Reset alert flags Note that if there are unacknowledged intru sions on two or more ports this step resets the alert flags for all such ports If you then re display the port status screen you will see that the Intrusion Alert entry for port A3 has changed to No That is your evidence that the Intrusion Alert flag has been acknowledged reset is that the Intrusion Alert colu...

Page 287: ...Port Security on page 9 36 In the following example executing show interfaces brief lists the switch s port status which indicates an intrusion alert on port A1 Figure 9 16 Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion you would then enter the show port security intrusion log command For example Syntax show interfaces brief ...

Page 288: ...urred prior to the reset To clear the intrusion from port A1 and enable the switch to enter any subsequentintrusionforportA1intheIntrusionLog executetheport security clear intrusion flag command If you then re display the port status screen you will see that the Intrusion Alert entry for port A1 has changed to No Executing showport securityintrusion log again will result in the same display as abo...

Page 289: ...rom the Manager or Configuration level Syntax log search text For search text you can use ffi security or violation For example Figure 9 19 Example of Log Listing With and Without Detected Security Violations From the Menu Interface In the Main Menu click on 4 Event Log and use Next page and Prev page to review the Event Log contents For More Event Log Information See Using the Event Log To Identi...

Page 290: ...hrough a switch port configured for Static port security and your browser access is through a proxy Web server then it is necessary to do the following Enter your PC or workstation MAC address in the port s Authorized Addresses list Enter your PC or workstation s IP address in the switch s IP Autho rized Managers list See chapter 10 Using Authorized IP Managers Without both of the above configured...

Page 291: ... port security on a port on which LACP active or passive is configured the switch removes the LACP configuration displays a notice that LACP is disabled on the port s and enables port security on that port For example ProCurve config port security e a17 learn mode static address limit 2 LACP has been disabled on secured port s ProCurve config The switch will not allow you to configure LACP on a po...

Page 292: ...otforwardedtootherprotectedports Protected ports can communicate with unprotected ports but not with each other Unprotected ports can communicate with all ports The protected ports command applies to logical ports trunks as well as untrunked ports Figure 9 20 Example of Protected Ports Command for Ports 4 and 5 To display information about which ports have been configured as protected ports enter ...

Page 293: ...t are not able to communicate with each other or any of the other rooms that are connected to protected ports Figure 9 23 Example With Ports 1 8 Protected and Ports 9 and 10 Unprotected ProCurve config show protected ports Protected ports 4 5 Unprotected ports 1 3 6 26 ProCurve config show running config Running configuration J9019B Configuration Editor Created on release Q 11 XX hostname ProCurve...

Page 294: ...9 40 Configuring and Monitoring Port Security Configuring Protected Ports ...

Page 295: ...enu Viewing and Configuring IP Authorized Managers 10 5 CLI Viewing and Configuring Authorized IP Managers 10 6 Web Configuring IP Authorized Managers 10 9 Building IP Masks 10 9 Configuring One Station Per Authorized Manager IP Entry 10 9 Configuring Multiple Stations Per Authorized Manager IP Entry 10 10 Additional Examples for Authorizing Multiple Stations 10 12 Operating Notes 10 12 ...

Page 296: ...tures If the Authorized IP Managers feature disallows access to the device then access is denied Thus with authorized IP managers configured having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch s Authorized IP Managers configuration You can use Authorized IP Managers along with other access s...

Page 297: ... available in the switch and preventing unauthorized access to data on your management stations Access Levels Note The Authorized IP Manager feature can assign an access level to stations using Telnet SNMPv1 or SNMPv2c for switch access The access level the switch allows for authorized stations using SSH SNMPv3 or the Web browser interface is determined by the access application itself and not by ...

Page 298: ...tch without having to type an entry for every station All stations in the group defined by the one Authorized Manager IP table entry and its associated IP mask will have the same access level Manager or Operator For more on this topic refer to Config uring Multiple Stations Per Authorized Manager IP Entry on page 10 10 To configure the switch for authorized manager access enter the appropriate Aut...

Page 299: ...d Manager IP address to authorize four IP addresses for management station access The details on how to use IP masks are provided under Building IP Masks on page 10 9 Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch This mask serves a different purpose than IP subnet masks and is applied in a different manner Menu Viewing and...

Page 300: ...se the show ip authorized managers command to list IP stations authorized to access the switch For example 5 Press Enter then S for Save to configure the IP Authorized Manager entry 3 Use the default mask to allow access by one management device or edit the mask to allow access by a block of management devices See Building IP Masks on page 10 9 2 Enter an Authorized Manager IP address here 4 Use t...

Page 301: ...h 10 28 227 255 ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access manager IP Mask Authorized Station IP Address Access Mode 255 255 255 252 10 28 227 100 through 103 Manager 255 255 255 254 10 28 227 104 through 105 Manager 255 255 255 255 10 28 227 125 Manager 255 255 255 0 10 28 227 0 through 255 Operator Syntax ip authorized managers ip address Configures one or more aut...

Page 302: ...lue s Notice that any parameters not included in the command will be set to their default ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access operator The above command replaces the existing mask and access level for IP address 10 28 227 101 with 255 255 255 0 and operator The following command replaces the existing mask and access level for IP address 10 28 227 101 with 255 ...

Page 303: ...tton provided on the Web browser screen Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask If you have ten or fewer management and or operator stations you can configure them qui...

Page 304: ...of the mask is off set to 0 then the corresponding bit in the IP address of a potentially authorized station on the network does not have to match its counterpart in the IP address you entered in the Authorized Manager IP list Thus in the example shown above a 255 in an IP Mask octet all bits in the octet are on means only one value is allowed for that octet the value you specify in the correspond...

Page 305: ... that matches the authorized IP address settings for the fixed bits is allowed for the purposes of IP management station access to the switch Thus anymanagementstationhaving anIPaddress of 10 28 227 121 123 125 or 127 can access the switch Authorized IP Address 10 28 227 125 4th Octet of IP Mask 4th Octet of Authorized IP Address 249 5 Bit Numbers Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 Bi...

Page 306: ...xy Servers If you use the Web browser interface to access the switch from an authorized IP manager station it is recommended that you avoid the use of a Web proxy server in the path between the station and the switch This is because switch access through a Web proxy server requires that you first add the Web proxy server to the Authorized Manager IP list This reduces security by opening switch acc...

Page 307: ... proxy service for Web access to the switch To do so add the IP address or DNS name of the switch to the non proxy or Exceptions list in the Web browser interface you are using on the authorized station If you don t need proxy server access at all on the authorized station then just disable the proxy server feature in the station s Web browser interface ...

Page 308: ...10 14 Using Authorized IP Managers Operating Notes ...

Page 309: ...orized Client VLAN multiple clients 8 33 VLAN unauthorized client different ports 8 34 unauthorized client best use 8 33 untagged 8 27 untagged membership 8 19 802 1x access control authenticate users 8 5 authenticator 8 18 unblock port 8 5 authorized client VLAN defined 8 7 auth vid 8 22 auto 8 20 clear statistics 8 25 control command 8 20 EAPOL 8 8 force authorized 8 20 force unauthorized 8 20 g...

Page 310: ... station 10 9 IP mask operation 10 4 operating notes 10 12 overview 10 1 precedence over other security 10 2 troubleshooting 10 12 C certificate CA signed 7 4 root 7 4 self signed 7 4 Clear button to delete password protection 2 5 configuration port security 9 5 RADIUS See RADIUS SSH See SSH connection inactivity time 2 3 console for configuring authorized IP managers 10 5 D DES 6 3 7 3 disclaimer...

Page 311: ...r button 2 5 if you lose the password 2 5 incorrect 2 3 length 2 4 operator only caution 2 3 pair 2 2 setting 2 4 password pair 2 2 password security 6 18 port security configuration 9 2 port access client limit 8 18 8 19 concurrent 8 18 8 19 See also 802 1X access control Web MAC 8 18 8 19 port security authorized address definition 9 3 authorized IP managers precedence 10 2 basic operation 9 2 c...

Page 312: ... 8 54 used with port security 8 40 VLAN operation 8 54 ports protected 9 38 prior to 9 32 9 34 9 36 Privacy Enhanced Mode PEM See SSH privilege mode 4 11 4 15 protected ports 9 38 configuring 9 38 logical ports 9 38 show 9 38 show running config 9 39 proxy web server 9 36 Q quick start 1 8 R RADIUS accounting 5 2 5 25 accounting configuration outline 5 27 accounting configure server access 5 28 ac...

Page 313: ...rity 6 18 CLI commands 6 9 client behavior 6 15 6 16 client public key authentication 6 19 6 22 client public key clearing 6 26 client public key creating file 6 24 client public key displaying 6 25 configuring authentication 6 18 crypto key 6 11 disabling 6 11 enable 6 16 7 19 enabling 6 15 erase host key pair 6 11 generate host key pair 6 11 generating key pairs 6 10 host key pair 6 11 key babbl...

Page 314: ...rameters 4 13 authentication 4 3 authentication process 4 23 authentication local 4 25 authorized IP managers effect 4 28 authorized IP managers precedence 10 2 configuration authentication 4 11 configuration encryption key 4 22 configuration server access 4 18 configuration timeout 4 23 configuration viewing 4 10 encryption key 4 6 4 18 4 19 4 22 encryption key general operation 4 26 encryption k...

Page 315: ...eration 3 5 blocked traffic 3 4 CHAP defined 3 9 usage 3 4 client status 3 30 configuration commands 3 18 configuring on the switch 3 17 switch for RADIUS access 3 15 features 3 4 general setup 3 12 LACP not allowed 3 11 redirect URL 3 9 rules of operation 3 10 show status and configuration 3 26 terminology 3 9 web browser interface for configuring authorized IP managers 10 7 10 9 web browser inte...

Page 316: ...8 Index ...

Page 317: ......

Page 318: ...e without notice Copyright 2008 Hewlett Packard Development Company L P All rights reserved Reproduction adaptation or translation without prior written permission is prohibited except as allowed under the copyright laws July 2008 Manual Part Number 5991 4763 ...

Search results

Summary of Contents for ProCurve 2510-24

Reviews:

Related manuals for ProCurve 2510-24

Brands by name

Popular brands

HP ProCurve 2510-24, Manual

Search results

Summary of Contents for ProCurve 2510-24

Reviews:

Related manuals for ProCurve 2510-24

Brands by name

Popular brands