HP ProCurve 2510G Series Manual Download Page 114 | Manualshive

Page: 114 / 320

background image

5-8

RADIUS Authentication, Authorization and Accounting

Configuring the Switch for RADIUS Authentication

out on a server that is unavailable. If you want to use this feature,
select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled;
range: 1 - 1440 minutes.) If your first-choice server was initially
unavailable, but then becomes available before the dead-time expires,
you can nullify the dead-time by resetting it to zero and then trying to
log on again. As an alternative, you can reboot the switch, (thus
resetting the dead-time counter to assume the server is available) and
then try to log on again.

•

Number of Login Attempts:

This is an

aaa authentication

command.

It controls how many times in one session a RADIUS client (as well
as clients using other forms of access) can try to log in with the correct
username and password. (Default: Three times per session.)

(For RADIUS accounting features, refer to “Configuring RADIUS Accounting”
on page 5-25.)

1. Configure Authentication for the Access Methods

You Want RADIUS To Protect

This section describes how to configure the switch for RADIUS authentication
through the following access methods:

■

Console:

Either direct serial-port connection or modem connection.

■

Telnet:

Inbound Telnet must be enabled (the default).

■

SSH:

To employ RADIUS for SSH access, you must first configure the

switch for SSH operation. Refer to “Configuring Secure Shell (SSH)”
on page 6-1.

■

Web:

Web browser interface.

You can also use RADIUS for Port-Based Access authentication. Refer to
“Configuring Port-Based and Client-Based Access Control (802.1X)” on page
8-1.

You can configure RADIUS as the primary password authentication method
for the above access methods. You will also need to select either

local

or

none

as a secondary, or backup, method. Note that for console access, if you
configure

radius

(or

tacacs

) for primary authentication, you must configure

local

for the secondary method. This prevents the possibility of being com-

pletely locked out of the switch in the event that all primary access methods
fail.

«
...
112
113
114
115
116
...
»

Summary of Contents for ProCurve 2510G Series

Page 1: ...Access Security Guide www procurve com ProCurve Series 2510G Switches Y 11 XX ...

Page 2: ......

Page 3: ...ProCurve Series 2510G Switches Access Security Guide June 2008 ...

Page 4: ...tten by Tim Hudson tjh cryptsoft com Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use o...

Page 5: ...eature Descriptions by Model 1 5 Command Syntax Statements 1 5 Command Prompts 1 6 Screen Simulations 1 6 Port Identity Examples 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 2 Configuring Username and Password Security Contents 2 1 Overview 2 2 Configuring Local Password Security 2 4 Menu Setting Passwords 2...

Page 6: ...eps Before You Configure Web MAC Authentication 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22 Overview 3 22 Configure the Switch for MAC Bas...

Page 7: ...y 4 26 Controlling Web Browser Interface Access When Using TACACS Authentication 4 28 Messages Related to TACACS Operation 4 29 Operating Notes 4 30 5 RADIUS Authentication Authorization and Accounting Contents 5 1 Overview 5 2 Terminology 5 3 Switch Operating Rules for RADIUS 5 4 General RADIUS Setup Procedure 5 5 Configuring the Switch for RADIUS Authentication 5 6 Outline of the Steps for Confi...

Page 8: ...H Contents 6 1 Overview 6 2 Terminology 6 4 Prerequisite for Using SSH 6 5 Public Key Formats 6 5 Steps for Configuring and Using SSH for Switch and Client Authentication 6 6 General Operating Rules and Notes 6 8 Configuring the Switch for SSH Operation 6 9 1 Assign Local Login Operator and Enable Manager Password 6 9 2 Generate the Switch s Public and Private Key Pair 6 10 3 Provide the Switch s ...

Page 9: ... Port Based or Client Based Access Control 8 3 General Features 8 3 User Authentication Methods 8 4 Terminology 8 7 General 802 1X Authenticator Operation 8 10 Example of the Authentication Process 8 10 Switch Port Supplicant Operation 8 11 General Operating Rules and Notes 8 12 General Setup Procedure for 802 1X Access Control 8 14 Do These Steps Before You Configure 802 1X Operation 8 14 Overvie...

Page 10: ...tatistics and Counters 8 47 Show Commands for Port Access Authenticator 8 47 Viewing 802 1X Open VLAN Mode Status 8 50 Show Commands for Port Access Supplicant 8 53 How RADIUS 802 1X Authentication Affects VLAN Operation 8 54 Messages Related to 802 1X Operation 8 58 9 Configuring and Monitoring Port Security Contents 9 1 Overview 9 2 Basic Operation 9 2 Blocking Unauthorized Traffic 9 3 Trunk Gro...

Page 11: ... 9 36 Configuring Protected Ports 9 37 10 Using Authorized IP Managers Contents 10 1 Overview 10 2 Configuration Options 10 3 Access Levels 10 3 Defining Authorized Management Stations 10 4 Overview of IP Mask Operation 10 4 Menu Viewing and Configuring IP Authorized Managers 10 5 CLI Viewing and Configuring Authorized IP Managers 10 6 Web Configuring IP Authorized Managers 10 9 Building IP Masks ...

Page 12: ...x ...

Page 13: ...gement Guide a PDF file on the ProCurve Networking website This guide explains the configuration and operation of traffic management features such as spanning tree and VLANs Access Security Guide a PDF file on the ProCurve Networking website This guide explains the configuration and operation of access security and user authentication features on the switch Release Notes posted on the ProCurve web...

Page 14: ...ion AdvancedTraffic Management Access Security Guide 802 1Q VLAN Tagging X 802 1p Priority X 802 1X Authentication X Authorized IP Managers X Config File X Copy Command X Debug X DHCP Configuration X DHCP Bootp Operation X Diagnostic Tools X Downloading Software X Event Log X Factory Default Settings X File Management X File Transfers X GVRP X IGMP X Interface Access Telnet Console Serial Web X IP...

Page 15: ...ation X Port Security X Port Status X Port Trunking LACP X Port Based Access Control X Port Based Priority 802 1Q X Quality of Service QoS X RADIUS Authentication and Accounting X Secure Copy X SFTP X SNMP X Software Downloads SCP SFTP TFTP Xmodem X Spanning Tree MSTP X SSH Secure Shell Encryption X SSL Secure Socket Layer X Stack Management Stacking X Feature Management and Configuration Advanced...

Page 16: ...tem Information X TACACS Authentication X Telnet Access X TFTP X Time Protocols TimeP SNTP X Troubleshooting X VLANs X Web based Authentication X Xmodem X Feature Management and Configuration AdvancedTraffic Management Access Security Guide ...

Page 17: ...3 General Switch Traffic Security Guidelines 1 4 Conventions 1 5 Feature Descriptions by Model 1 5 Command Syntax Statements 1 5 Command Prompts 1 6 Screen Simulations 1 6 Port Identity Examples 1 6 Sources for More Information 1 7 Need Only a Quick Start 1 8 IP Addressing 1 8 To Set Up and Install the Switch in Your Network 1 9 ...

Page 18: ...ager and Operator Passwords page 2 1 Control access and privileges for the CLI menu and Web browser interfaces TACACS Authentication page 4 1 Uses an authentication appli cation on a server to allow or deny access to a switch RADIUS Authentication and Accounting page 5 1 Like TACACS uses an authentication application on a central server to allow or deny access to the switch RADIUS also provides ac...

Page 19: ...to detect prevent and log access attempts by unauthorized devices Authorized IP Managers page 10 1 Allows access to the switch by a networked device having an IP address previously configured in the switch as authorized Management Access Security Protection In considering management access security for your switch there are two key areas to protect Unauthorized client access to switch management f...

Page 20: ... OSI model such as SSH The above list does not address the mutually exclusive relationship that exists among some security features Security Feature Offers Protection Against Unauthorized Client Access to Switch Management Features Offers Protection Against Unauthorized Client Access to the Network Connection Telnet SNMP Net Mgmt Web Browser SSH Client Local Manager and Operator Usernames and Pass...

Page 21: ...authenticator port list control authorized auto unauthorized Vertical bars separate alternative mutually exclusive elements Square brackets indicate optional elements Braces enclose required elements Braces within square brackets indicate a required element within an optional choice Boldface indicates use of a CLI command part of a CLI command syntax or other displayed element in general text For ...

Page 22: ...tput sequences appear outside of a numbered figure For example ProCurve config ip default gateway 18 28 152 1 24 ProCurve config vlan 1 ip address 18 28 36 152 24 ProCurve config vlan 1 ip igmp Port Identity Examples This guide describes software applicable to both chassis based and stackable ProCurve switches Where port identities are needed in an example this guide uses the chassis based port id...

Page 23: ...e For the latest version of all ProCurve switch documentation including release notes covering recently added features visit the ProCurve Networking Website at http www procurve com manuals then select your switch product For information on specific parameters in the menu interface refer to the online help provided in the interface For example Figure 1 2 Getting Help in the Menu Interface For info...

Page 24: ...ve Website at http www procurve com Need Only a Quick Start IP Addressing If you just want to give the switch an IP address so that it can communicate on your network or if you are not using multiple VLANs ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing To do so do one of the following Enter setup at the CLI Manager level prompt ProCurve setup In the Mai...

Page 25: ...nstructions for physically installing the switch in your network Quickly assigning an IP address and subnet mask setting a Manager password and optionally configuring other basic features Interpreting LED behavior For the latest version of the Installation and Getting Started Guide and other documentation for your switch visit the ProCurve Networking Web site Refer to Product Documentation on page...

Page 26: ...1 10 Getting Started Need Only a Quick Start ...

Page 27: ...Security 2 4 Menu Setting Passwords 2 4 CLI Setting Passwords and Usernames 2 5 Web Setting Passwords and Usernames 2 6 Front Panel Security 2 7 When Security Is Important 2 7 Front Panel Button Functions 2 8 Configuring Front Panel Security 2 10 Password Recovery 2 15 Password Recovery Process 2 17 ...

Page 28: ...curity n a page 1 13 Front panel security page 1 13 password clear enabled page 1 13 reset on clear disabled page 1 14 factory reset enabled page 1 15 password recovery enabled page 1 15 Level Actions Permitted Manager Access to all console interface areas This is the default level That is if a Manager password has not been set prior to starting the current console session then anyone having acces...

Page 29: ... causes the console session to end after the specified period of inactivity thus giving you added security against unautho rized console access Note The manager and operator passwords and optional usernames control access to the menu interface CLI and Web browser interface If you configure only a Manager password with no Operator password and in a later session the Manager password is not entered ...

Page 30: ...pted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you will be prompted to enter the password If you use the CLI or Web browser interfa...

Page 31: ...r to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot start a con sole session at the Manager level because of a lost Manager password you can clear the password by getting physical access to the switch and pressing and holding the Clear button for a minimum of one second This action deletes all passwords and u...

Page 32: ...to remove password protection from the Operator level This means that anyone who can access the switch console can gain Operator access without having to enter a user name or password Web Setting Passwords and Usernames In the Web browser interface you can enter passwords and optional user names To Configure or Remove Usernames and Passwords in the Web Browser Interface 1 Click on the Security tab...

Page 33: ... Insurance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records must be secure It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key For some customers this is no longer true Others simply ...

Page 34: ...Reset buttons on the front of the switch Front Panel Button Functions The front panel of the switch includes the Reset button and the Clear button Figure 2 4 Example Front Panel Button Locations Clear Button Pressing the Clear button alone for one second resets the password s con figured on the switch Figure 2 5 Press the Clear Button for One Second To Reset the Password s Reset Button Clear Butto...

Page 35: ... the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button 2 While holding the Reset button press and hold the Clear button Reset Clear Reset Clear Reset Clear Reset Clear ...

Page 36: ... or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does not affect the operation of the Reset Clear combination described under Restor ing the Factory Default Configuration on page 2 9 Configure the Clear button to reboot...

Page 37: ...en pressing the Clear button erases the local usernames and passwords from the switch When reset on clear is enabled pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch Enabling reset on clear automatically enables clear password Default Disabled Factory Reset Shows the status of the Reset button on the front panel of the switch Enabled means t...

Page 38: ...y default configuration pressing the Clear button on the switch s front panel erases any local usernames and passwords configured on the switch This command disables the password clear function of the Clear button so that pressing it has no effect on any local usernames and passwords Default Enabled Note Although the Clear button does not erase passwords when disabled you can still use it with the...

Page 39: ...enable or disable the reset on clear option Defaults password clear Enabled reset on clear Disabled Thus To enable password clear with reset on clear disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password cl...

Page 40: ...an use the factory reset command to prevent the Reset Clear combination from being used for this purpose Shows password clear disabled Enables password clear with reset on clear disabled by the no statement at the beginning of the command Shows password clear enabled with reset on clear disabled Syntax no front panel security factory reset Disables or re enables the following functions associated ...

Page 41: ...switch to its factory default configuration which removes any non default configuration settings C a u t i o n Disabling password recovery requires that factory reset be enabled and locks out the ability to recover a lost manager username if configured and pass word on the switch In this event there is no way to recover from a lost manager username password situation without resetting the switch t...

Page 42: ...and press N for No Figure 2 11 shows an example of disabling the password recovery parameter Syntax no front panel security password recovery Enables or using the no form of the command disables the ability to recover a lost password When this feature is enabled the switch allows management access through the password recovery process described below This provides a method for recovering from a lo...

Page 43: ...se the Reset Clear button combination described under Restoring the Factory Default Configuration on page 2 9 This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfig ured To use the password recovery option to recover a lost password 1 Note the switch s base MAC addre...

Page 44: ... Center is valid only for a single login attempt You cannot use the same one time use password if you lose the password a second time Because the password algorithm is randomized based upon your switch s MAC address the password will change as soon as you use the one time use password provided to you by the ProCurve Customer Care Center ...

Page 45: ...on 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22 Overview 3 22 Configure the Switch for MAC Based Authentication 3 23 Show Status and Config...

Page 46: ...cation Web Auth This method uses a Web page login to authenticate users for access to the network When a user connects to the switch and opens a Web browser the switch automatically presents a login page The user then enters a username and password which the switch forwards to a RADIUS server for authentication After authentication the switch grants access to the secured network Other than a Web b...

Page 47: ...d on ports configured for any of these authentication methods Client Options Web Auth and MAC Auth provide a port based solution in which a port can belong to one untagged VLAN at a time However where all clients can operate in the same VLAN the switch allows up to 32 simultaneous clients per port In applications where you want the switch to simultaneously support multiple client sessions in diffe...

Page 48: ...when using Web Authentication You can use the RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the Web or MAC Auth configuration for the subje...

Page 49: ...cess or limited network access as defined by the System Administrator Web based Authentication When a client connects to a Web Auth enabled port communication is redi rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials Figure 3 1 Example of User Login Screen The temporary IP address pool can be specified us...

Page 50: ...n of the client session the port belongs to the authorized VLAN auth vid if configured and temporarily drops all other VLAN memberships 3 If neither 1 or 2 above apply but the port is an untagged member of a statically configured port based VLAN then the port remains in this VLAN 4 If neither 1 2 or 3 above apply then the client session does not have access to any statically configured untagged VL...

Page 51: ...o specific guest network resources If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available Should another client success fully authenticate through that port any unauthenticated clients on the unauth vid are dropped from the port MAC based Authentication When a client connects to a MAC Auth enabled port traffic is blocked The switch immediately subm...

Page 52: ...ession the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid credentials or a RADIUS server timeout The server timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out The max reque...

Page 53: ...wed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified Web page presented to an authorized client following Web Authentication ProCurve recommends specif...

Page 54: ...ration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments in your RADIUS server or considerusing either Authorized orUnauthorized VLANs Ifyour LAN does use multiple VLANs then some of the following factors may apply to your use of Web Auth and MAC Auth Web Auth and MAC Auth operate only with port based ...

Page 55: ...ategory to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port In this case if there is a successful request for authentication from an authorized client the switch terminates the unauthorized ...

Page 56: ...curity measures are in place to protect the switch configuration from unauthorized access 2 Determine which ports on the switch you want to operate as authentica tors Note that before you configure Web or MAC based authentication on a port operating in an LACP trunk you must remove the port from the trunk refer to the Note on Web MAC Authentication and LACP on page 3 12 3 Determine whether any VLA...

Page 57: ...o rized VLAN the switch simply blocks access to unauthenticated clients trying to use the port 5 Determine the authentication policy you want on the RADIUS server and configure the server Refer to the documentation provided with your RADIUS application and include the following in the policy for each client or client device The CHAP RADIUS authentication method An encryption key One of the followi...

Page 58: ... provides four format options aabbccddeeff the default format aabbcc ddeeff aa bb cc dd ee ff aa bb cc dd ee ff Note on MAC Addresses Letters in MAC addresses must be in lowercase If the device is a switch or other VLAN capable device use the base MAC address assigned to the device and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch Note...

Page 59: ...erver host ip address key server specific key string 3 16 Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration You can config ure up to three RADIUS server addresses The switch uses the first server it successfully accesses Refer to RADIUS Authentication Authorization and Accounting on page 5 1 key global key string Sp...

Page 60: ...ng authentication or accounting sessions with the speci fied server This key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key above The no form of the command removes the key configured for a specific server ProCurve config radius server host 192 168 32 11 key 2Pzo...

Page 61: ... switch can communicate with the RADIUS server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Configure the switch for Web Auth a Configure Web Authentication on the switch ports you want to use b If the necessary to avoid address conflicts with the secure network specify the base IP address ...

Page 62: ...quiet period 3 20 reauth period 3 20 reauthenticate 3 20 redirect url 3 21 server timeout 3 21 ssl login 3 21 unauth vid 3 22 Syntax aaa port access web based dhcp addr ip address mask Specifies the base address mask for the temporary IP pool used by DHCP The base address can be any valid ip address not a multicast address Valid mask range value is 255 255 240 0 255 255 255 0 Default 192 168 0 0 2...

Page 63: ...ver supplies one Use the no form of the command to set the auth vid to 0 Default 0 Syntax aaa port access web based e port list client limit 1 32 Specifies the maximum number of authenticated clients to allow on the port Default 1 Syntax no aaa port access web based e port list client moves Allows client moves between the specified ports under Web Auth control When enabled the switch allows client...

Page 64: ... port access web based e port list max retries 1 10 Specifies the number of the number of times a client can enter their user name and password before authen tication fails This allows the reentry of the user name and password if necessary Default 3 Syntax aaa port access web based e port list quiet period 1 65535 Specifies the time period in seconds the switch should wait before attempting an aut...

Page 65: ...for authenticated clients may not be acceptable Syntax aaa port access web based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentication session Default 30 seconds Syntax no aaa port access web based e port list ssl logi...

Page 66: ...rver you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encryption key to access the RADIUS server 5 Configure the switch for MAC Auth a Configure MAC Authentication on the switch ports you want to use 6 Test both the authorized and unauthorized access to your system to ensure that MAC Authentication works properly on the ports you have con...

Page 67: ...access mac based addr format no delimiter single dash multi dash multi colon Specifies the MAC address format to be used in the RADIUS request message This format must match the format used to store the MAC addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb cc dd ee ff format ...

Page 68: ... moves allowed Syntax aaa port access mac based e port list auth vid vid no aaa port access mac based e port list auth vid Specifies the VLAN to use for an authorized client The Radius server can override the value accept response includes a vid If auth vid is 0 no VLAN changes occur unless the RADIUS server supplies one Use the no form of the command to set the auth vid to 0 Default 0 Syntax aaa ...

Page 69: ...t 300 seconds Syntax aaa port access mac based e port list reauthenticate Forces a reauthentication of all attached clients on the port Syntax aaa port access mac based e port list server timeout 1 300 Specifies the period in seconds the switch waits for a server response to an authentication request Depend ing on the current max requests value the switch sends a new attempt or ends the authentica...

Page 70: ...t as well as its current VLAN ID Ports without Web Authenti cation enabled are not listed Syntax show port access port list web based clients Shows the port address Web address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients are not listed Syntax sh...

Page 71: ... timeout failures before authentication fails and the length of time between authentication requests Syntax show port access port list web based config web server Shows Web Authentication settings for all ports or the specified ports along with the Web specific settings for password retries SSL login status and a redirect URL if specified Syntax show port access port list web based config detail S...

Page 72: ...ll as its current VLAN ID Ports without MAC Authenti cation enabled are not listed Syntax show port access port list mac based clients Shows the port address MAC address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients are not listed Syntax show port...

Page 73: ...s for all ports or the specified ports along with the Radius server specific settings for the timeout wait the number of timeout failures before authentication fails and the length of time between authentication requests Syntax show port access port list mac based config detail Shows all MAC Authentication settings including the Radius server specific settings for the specified ports ...

Page 74: ... difficulties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applied to the port...

Page 75: ...uthentication Configuration 4 9 Viewing the Switch s Current TACACS Server Contact Configuration 4 10 Configuring the Switch s Authentication Methods 4 11 Configuring the Switch s TACACS Server Access 4 18 How Authentication Operates 4 23 General Authentication Process Using a TACACS Server 4 23 Local Authentication Process 4 25 Using the Encryption Key 4 26 Controlling Web Browser Interface Acces...

Page 76: ...er and 2 local passwords configured on the switch That is with TACACS configured Feature Default Menu CLI Web view the switch s authentication configuration n a page 4 9 view the switch s TACACS server contact configuration n a page 4 10 configure the switch s authentication methods disabled page 4 11 configure the switch to contact TACACS server s disabled page 4 18 B ProCurve Switch Configured f...

Page 77: ... operation are communication server remote access server or terminal server These terms apply when TACACS is enabled on the switch that is when the switch is TACACS aware TACACS Server The server or management station configured as an access control server for TACACS enabled devices To use TACACS with the switch and any other TACACS capable devices in your network you must purchase install and con...

Page 78: ...on local authentication refer to Configuring Username and Password Security on page 2 1 TACACS Authentication This method enables you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central se...

Page 79: ...ommends that you use a TACACS server application that supports a redundant backup installation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect Web browser interface access Refer to Controlling Web Browser Interface Access When Using TACACS Authentication on page 4 28 General Authentication Setup Proce...

Page 80: ... switch This includes the username password sets for logging in at the Operator read only privilege level and the sets for logging in at the Manager read write privilege level The IP address es of the TACACS server s youwanttheswitchtouse for authentication If you will use more than one server determine which server is your first choice for authentication services The encryption key if any for all...

Page 81: ... correct local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method Caution You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be ...

Page 82: ...ta that could affect the console access 9 When you are confident that TACACS access through both Telnet and the switch s console operates properly use the write memory command to save the switch s running config file to flash memory Configuring TACACS on the Switch Before You Begin If you are new to TACACS authentication ProCurve recommends that you read the General Authentication Setup Procedure ...

Page 83: ...s Syntax show authentication This example shows the default authentication configuration Figure 4 2 Example Listing of the Switch s Authentication Configuration Command Page show authentication 4 9 show tacacs 4 10 aaa authentication pages4 11through4 15 console Telnet num attempts 1 10 tacacs server pages 4 18 host ip addr pages 4 18 key 4 22 timeout 1 255 4 23 Configuration for login and enable ...

Page 84: ... TACACS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following Figure 4 3 Example of the Switch s TACACS Configuration Listing First Choice TACACS Server Second Choice TACACS Ser...

Page 85: ...s Port access 802 1X However TACACS authentication is only used with the console Telnet or SSH access methods The command specifies whether to use a TACACS server or the switch s local authentication or no authentication in some situations meaning thatiftheprimarymethodfails authenticationisdenied The command also reconfigures the number of access attempts to allow in a session if the first attemp...

Page 86: ... Manager is returned to the switch by the TACACS server Default Single login disabled local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS server radius Authenticates with a password and other data configured on a RADIUS server local n...

Page 87: ... backup method for the access method being config ured local The username password pair configured locally in the switch for the privilege level being configured Cannot be used if the primary authentication is local none No secondary type of authentication for the specified method privilege path Available only if the primary method of authentication for the access being configured is local authori...

Page 88: ... Telnet or Console access method configuring Login Primary for local authentication while configuring Enable Primary for tacacs authentica tion is not recommended as it defeats the purpose of using the TACACS authentication If you want Enable Primary log in attempts to go to a TACACS server you should configure both Login Primary and Enable Pri mary for tacacs authentication Access Method and Priv...

Page 89: ...s the privilege level Operator or Manager that was configured on the TACACS server for this username Console Login Operator or Read Only Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication console login tacacs local Console Enable Manager or Read Write Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication console enable ...

Page 90: ... to check some entries in the User Setup on the TACACS server In the User Setup scroll to the Advanced TACACS Settings section Make sure the radio button for Max Privilege for any AAA Client is checked and the level is set to 15 as shown in Figure 4 4 Privileges are represented by the numbers 0 through 15 with zero allowing only Operator privileges and requiring two logins and 15 representing root...

Page 91: ...Configuring TACACS on the Switch Check the Privilege level box and set the privilege level to 15 to allow root privileges This allows you to use the single login option Figure 4 5 The Shell Section of the TACACS Server User Setup ...

Page 92: ...t encryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the swi...

Page 93: ...keys If TACACS server X does not have an encryption key assigned for the switch then configuring either a global encryption key or a server specific key in the switch for server X will block authentication support from server X Syntax tacacs server host ip addr key key string Adds a TACACS server and optionally assigns a server specific encryption key no tacacs server host ip addr Removes a TACACS...

Page 94: ...server 2 When there is one TACACS serves already configured entering another server IP address makes that server the second choice backup TACACS server 3 When there are two TACACS servers already configured entering another server IP address makes that server the third choice backup TACACS server The above position assignments are fixed Thus if you remove one server and replace it with another the...

Page 95: ...lso assigned in the TACACS server s that the switch will access for authentication This option is subordinate to any per server encryption keys you assign and applies only to accessing TACACS servers for which you have not given the switch a per server key See the host ip addr key key string entry at the beginning of this table For more on the encryption key see Using the Encryption Key on page 4 ...

Page 96: ...cryption key if the same key applies to all TACACS servers the switch may use for authentication attempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 4 26 To configure north01 as a global encryption key ProCurve config tacacs server key north01 To configure north01 as a per...

Page 97: ...or show config running if you have made TACACS configuration changes without executing write mem Configuring the Timeout Period The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS server before either sending a new request to the next server in the switch s Server IP Address list or using the local authentication option For example to ch...

Page 98: ...ng terminal via the switch 2 When the requesting terminal responds to the prompt with a username the switch forwards it to the TACACS server 3 After the server receives the username input the requesting terminal receives a password prompt from the server via the switch 4 When the requesting terminal responds to the prompt with a password the switch forwards it to the TACACS server and one of the f...

Page 99: ...ers or no servers were configured and Local is the secondary authentication mode being used For a listing of authentication options see table 4 2 Primary Secondary Authentication Table for Console and Telnet on 4 14 For local authentication the switch uses the operator level and manager level username passwordset s previouslyconfiguredlocallyontheswitch These are the usernames and passwords you ca...

Page 100: ...of the following Global key A general key assignment in the TACACS server appli cation that applies to all TACACS aware devices for which an indi vidual key has not been configured Server Specific key A unique key assignment in the TACACS server application that applies to a specific TACACS aware device Note Configure a key in the switch only if the TACACS server application has this exact same ke...

Page 101: ...ied servers For example you would use the next command to configure a global encryp tion key in the switch to match a key entered as north40campus in two target TACACS servers That is both servers use the same key for your switch Note that you do not need the server IP addresses to configure a global key in the switch ProCurve config tacacs server key north40campus Suppose that you subsequently ad...

Page 102: ...more of the following Configure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow Web browser access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Disable Web browser access to the switch by going to ...

Page 103: ...ion Invalid password The system does not recognize the username or the password or both Depending on the authentication method tacacs or local either the TACACS server application did not recognize the username password pair orthe username password pair did not match the username password pair configured in the switch No Tacacs servers responding TheswitchhasnotbeenabletocontactanydesignatedTACACS...

Page 104: ...zed IP Manager controls configured on the switch Also the switch does not attempt TACACS authentication for a management station that the Authorized IP Manager list excludes because independent of TACACS the switch already denies access to such stations When TACACS is not enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password ...

Page 105: ...4 31 TACACS Authentication Configuring TACACS on the Switch ...

Page 106: ...4 32 TACACS Authentication Configuring TACACS on the Switch ...

Page 107: ... s Global RADIUS Parameters 5 12 Local Authentication Process 5 16 Controlling Web Browser Interface Access When Using RADIUS Authentication 5 17 Commands Authorization 5 17 Enabling Authorization 5 18 Displaying Authorization Information 5 19 Configuring Commands Authorization on a RADIUS Server 5 19 Configuring RADIUS Accounting 5 25 Operating Rules for RADIUS Accounting 5 27 Steps for Configuri...

Page 108: ...ity for the follow ing types of primary password access to the ProCurve switch Serial port Console Telnet SSH Web Port Access Note The switch does not support RADIUS security for SNMP network manage ment access For information on blocking unauthorized access through the web browser interface refer to Controlling Web Browser Interface Access When Using RADIUS Authentication on page 5 17 Accounting ...

Page 109: ...work Access Server In this case a ProCurve switch configured for RADIUS security operation RADIUS Remote Authentication Dial In User Service RADIUS Client The device that passes user information to designated RADIUS servers RADIUS Host See RADIUS server RADIUS Server A server running the RADIUS application you are using on your network This server receives user connection requests from the switch ...

Page 110: ...der in which they are listed by showradius page 5 33 If the first server does not respond the switch tries the next one and so on To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5 38 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access...

Page 111: ...he IP address es of the RADIUS server s you want to support the switch You can configure the switch for up to three RADIUS servers If you need to replace the default UDP destination port 1812 the switch uses for authentication requests to a specific RADIUS server select it before beginning the configuration process If you need to replace the default UDP destination port 1813 the switch uses for ac...

Page 112: ...y times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting This depends on how many RADIUS servers you have configured the switch to access Determine whether you want to bypass a RADIUS server that fails to respond to requests for service To shorten authentication time you can set a bypass period in the range of 1 to 1440 minutes for non responsiv...

Page 113: ...t for accounting requests default 1813 recommended Optional encryption key for use during authentication sessions with a RADIUS server This key overrides the global encryption key you can also configure on the switch and must match the encryption key used on the specified RADIUS server Default null 3 Configure the global RADIUS parameters Server Key This key must match the encryption key used on t...

Page 114: ...ing RADIUS Accounting on page 5 25 1 Configure Authentication for the Access Methods You Want RADIUS To Protect Thissectiondescribeshow toconfiguretheswitchfor RADIUSauthentication through the following access methods Console Either direct serial port connection or modem connection Telnet Inbound Telnet must be enabled the default SSH To employ RADIUS for SSH access you must first configure the sw...

Page 115: ...entication method for console Telnet SSH and or theWeb browser interface The default primary enable login authentication is local local none Provides options for secondary authentication default none Note that for console access secondary authenti cation must be local if primary access is not local This prevents you from being completely locked out of the switch in the event of a failure in other ...

Page 116: ...ation requests to the specified RADIUS server host If you do not use this option with the radius server host command the switch automatically assigns the default authentication port number The auth port number must match its server counterpart Default 1812 acct port port number Optional Changes the UDP destination port for account ing requests to the specified RADIUS server If you do not use this ...

Page 117: ...y of source0119 Figure 5 3 Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5 3 you would do the following Figure 5 4 Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on...

Page 118: ...th all RADIUS servers for which there is not a server specific key configured by radius server host ip address key key string This key is optional if you configure a server specific key for each RADIUS server entered in the switch Refer to 2 Configure the Switch To Access a RADIUS Server on page 5 10 Server timeout Defines the time period in seconds for authentica tion attempts If the timeout peri...

Page 119: ...he session due to input errors Default 3 Range 1 10 no radius server key global key string Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key Default Null dead time 1 1440 Optional Specifies the time ...

Page 120: ... authentication parameters Allow only two tries to correctly enter username and password Use the global encryption key to support the two servers that use the same key For this example assume that you did not configure these two servers with a server specific key Use a dead time of five minutes for a server that fails to respond to an authentication request Allow three seconds for request timeouts...

Page 121: ...e Local None SSH Radius None Radius None Web Auth ChapRadius MAC Auth ChapRadius ProCurve show radius Status and Counters General RADIUS Information Deadtime min 5 Timeout secs 3 Retransmit Attempts 2 Global Encryption Key My Global Key 1099 Auth Acct Server IP Addr Port Port Encryption Key 10 33 18 127 1812 1813 source0127 10 33 18 119 1812 1813 10 33 18 151 1812 1813 After two attempts failing d...

Page 122: ...ator at the requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level...

Page 123: ...on and authorization steps into one phase The user must be successfully authenticated before the RADIUS server will send authorization information from the user s profile to the Network Access Server NAS After user authentication has occurred the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user s session Changes in the user s authorization p...

Page 124: ...nd list and the command exception flag When an authenticated user enters a command on the switch the switch examines the list of com mandsdeliveredinthe RADIUSAccess Acceptpacketaswellasthecommand exception flag which indicates whether the user has permission to execute the commands in the list See Configuring the RADIUS Server on page 5 19 After the Access Accept packet is deliver the command lis...

Page 125: ... or denied execution by the user The commands are delimited by semi colons and must be between 1 and 249 characters in length Multiple instances of this attribute may be present in Access Accept packets A single instance may be present in Accounting Request packets HP Command Exception A flag that specifies whether the commands indicated by the HP Command String attribute are permitted or denied t...

Page 126: ...ticated user is allowed to execute all commands available on the switch Not present PermitList DenyOthers 0 Authenticated user can only execute aminimalsetofcommands thosethat are available by default to any user Commands List DenyList PermitOthers 1 Authenticated user may execute all commands except those in the Commands list Commands List PermitList DenyOthers 0 Authenticated user can execute on...

Page 127: ...teps 1 Create a dictionary file for example hp ini containing the HP VSA definitions as shown in the example below User Defined Vendor The Name and IETF vendor code and any VSAs MUST be unique One or more VSAs named max 255 Each named VSA requires a definition section Types are STRING INTEGER IPADDR The profile specifies usage IN for accounting OUT for authorization MULTI if more than a single ins...

Page 128: ...removing vendors requires ACS services to be re started Please make sure regedit is not running as it can prevent registry backup restore operations Are you sure you want to proceed Y or N y Parsing hp ini for addition at UDV slot 0 Stopping any running services Creating backup of current config Adding Vendor HP added as RADIUS HP Done Checking new configuration New configuration OK Re starting st...

Page 129: ...up Setup User Setup To enable the processing of the HP Command String VSA for RADIUS accounting 1 Select System Configuration 2 Select Logging 3 Select CSV RADIUS Accounting In the Select Columns to Log section add the HP Command String attribute to the Logged Attributes list 4 Select Submit 5 Select Network Configuration In the AAA Clients section select an entry in the AAA Client Hostname column...

Page 130: ... add this entry INCLUDE dictionary hp 4 You can now use HP VSAs with other attributes when configuring user entries dictionary hp As posted to the list by User user_email Version Id dictionary hp v 1 0 2006 02 23 17 07 07 VENDOR Hp 11 HP Extensions ATTRIBUTE Hp Command String 2 string Hp ATTRIBUTE Hp Command Exception 3 integer Hp Hp Command Exception Attribute Values VALUE Hp Command Exception Pe...

Page 131: ...Page no radius server host ip address 5 28 acct port port number 5 28 key key string 5 28 no aaa accounting exec network system start stop stop only radius 5 31 no aaa accounting update periodic 1 525600 in minutes 5 32 no aaa accounting suppress null username 5 32 show accounting 5 36 show accounting sessions 5 37 show radius accounting 5 37 ...

Page 132: ...he switch refer to Configuring Port Based and Client Based Access Control 802 1X on page 8 1 Exec accounting Provides records holding the information listed below about login sessions console Telnet and SSH on the switch System accounting Provides records containing the information listed below when system events occur on the switch including system reset system boot and enabling or disabling of s...

Page 133: ...r third server will not be accessed For more on this topic refer to Changing RADIUS Server Access Order on page 5 38 If access to a RADIUS server fails during a session but after the client has been authenticated the switch continues to assume the server is availabletoreceiveaccountingdata Thus ifserveraccessfailsduring a session it will not receive accounting data transmitted from the switch Step...

Page 134: ...e 5 26 Trigger for sending accounting reports to a RADIUS server At session start and stop or only at session stop 3 Optional Configure session blocking and interim updating options Updating Periodically update the accounting data for sessions in progress Suppress accounting Block the accounting session for any unknown user with no username access to the switch 1 Configure the Switch To Access a R...

Page 135: ...authentication method for one or more types of access to the switch Telnet Console etc Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration acct port port number Optional Changes the UDP destination port for accounting requests to the specified RADIUS server If you do not use this option the switch automatically assign...

Page 136: ... when A system boot or reload occurs System accounting is turned on or off Note that there is no time span associated with using the system option It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs Network Use Network if you want to collect accounting information on 802 1X port based access users connected to the physical ports on ...

Page 137: ...otice includes the latest data the switch has collected for the requested accounting type Network Exec or System Do not wait for an acknowledgment Thesystemoption page5 30 alwaysdeliversstop onlyoperationbecause the switchsendsthe accumulated data only whenthere is a reboot reload or accounting on off event For example to configure RADIUS accounting on the switch with start stop for exec functions...

Page 138: ...To continue the example in figure 5 9 suppose that you wanted the switch to Send updates every 10 minutes on in progress accounting sessions Block accounting for unknown users no username Figure 5 10 Example of Optional Accounting Update Period and Accounting Suppression on Unknown User Syntax no aaa accounting update periodic 1 525600 Sets the accounting update period for all accounting ses sions...

Page 139: ...S Information from Show Radius Command Syntax show radius host ip addr Shows general RADIUS configuration including the server IP addresses Optional form shows data for a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Configuring RADIUS Accounting on page 5 25 ...

Page 140: ...ndAcct Delayhave been updated as well as those in which they remain the same Timeouts The number of accounting timeouts to this server After a timeout the client may retry to the same server send to a different server or give up A retry to the same server is counted as a retransmit as well as a timeout A send to a different server is counted as an Accounting Request as well as a timeout Malformed ...

Page 141: ...IUS Access Accept packets valid or invalid received from this server Access Rejects The number of RADIUS Access Reject packets valid or invalid received from this server Responses The number of RADIUS packets received on the accounting port from this server Term Definition Syntax show authentication Displays the primary and secondary authentication meth ods configured for the Console Telnet Port A...

Page 142: ...5 Listing the Accounting Configuration in the Switch Syntax show accounting Lists configured accounting interval Empty User suppres sion status accounting types methods and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the swit...

Page 143: ...ntication Authorization and Accounting Viewing RADIUS Statistics Figure 5 16 Example of RADIUS Accounting Information for a Specific Server Figure 5 17 Example Listing of Active RADIUS Accounting Sessions on the Switch ...

Page 144: ...us to move a server address up in the list you must delete it from the list ensure that the position to which you want to move it is vacant and then re enterit Forexample supposeyouhavealreadyconfiguredthefollowingthree RADIUS server IP addresses in the switch Figure 5 18 Search Order for Accessing a RADIUS Server To exchange the positions of the addresses so that the server at 10 10 10 003 will b...

Page 145: ...list 4 Re enter 10 10 10 001 Because the only positionopen is the thirdposition this address becomes last in the list Figure 5 19 Example of New RADIUS Server Search Order Removes the 003 and 001 addresses from the RADIUS server list Inserts the 003 address in the first position in the RADIUS server list and inserts the 001 address in the last position in the list Shows the new order in which the ...

Page 146: ...iscorrectly configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions lis...

Page 147: ...for SSH Operation 6 9 1 Assign Local Login Operator and Enable Manager Password 6 9 2 Generate the Switch s Public and Private Key Pair 6 10 3 Provide the Switch s Public Key to Clients 6 13 4 Enable SSH on the Switch and Anticipate SSH Client Contact Behavior 6 15 5 Configure the Switch for SSH Authentication 6 18 6 Use an SSH Client To Access the Switch 6 22 Further Information on SSH Client Pub...

Page 148: ...uses one or more public keys from clients that must be stored on the switch Only a client with a private key that matches a stored public key can gain access to the switch The same private key can be stored on one or more clients Figure 6 1 Client Public Key Authentication Model Feature Default Menu CLI Web Generating a public private key pair on the switch No n a page 6 10 n a Using the switch s ...

Page 149: ...ding passwords stored locally on the switch or on a TACACS or RADIUS server However the client does not use a key to authenticate itself to the switch Figure 6 2 Switch User Authentication SSH on the ProCurve switches covered in this guide supports these data encryption methods 3DES 168 bit DES 56 bit Note The ProCurve switches covered in this guide use the RSA algorithm for internally generated k...

Page 150: ... private key generated by an SSH client applica tion is typically stored in a file on the client device and together with its public key counterpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Level Operator p...

Page 151: ...age 6 2 then the client program must have the capability to generate or import keys Public Key Formats Any client application you use for client public key authentication with the switch must have the capability export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Figure 6 3 Example of Public Key in PEM Encoded ASCII Format Common for SSH...

Page 152: ... another SSH application b Copy the client public key into an ASCII file on a TFTP server accessible to the switch and download the client public key file to the switch The client public key file can hold up to ten client keys This topic is covered under To Create a Client Public Key Text File on page 6 24 Switch Access Level Primary SSH Authentication Authenticate SwitchPublicKey to SSH Clients A...

Page 153: ... the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none If the primary authentication method is local the secondary method must be none Option B Primary Client public key authentication login public key page 6 22 Secondary none Note that ...

Page 154: ...h you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches On ProCurve switches that support stacking when stacking is enabled SSH provides security only between an SSH cl...

Page 155: ... and Manager password with one command Syntax password manager operator all SSH Related Commands in This Section Page show ip ssh 6 17 show crypto client public key manager operator keylist str babble fingerprint 6 25 show crypto host public key babble fingerprint 6 14 show authentication 6 21 crypto key generate zeroize ssh rsa 6 11 ip ssh 6 16 port 1 65535 default 6 16 timeout 5 120 6 16 aaa aut...

Page 156: ...s flash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the SSH clients which should have access to the switch Some SSH client appli cations automatically add the switch spublic key to a knownhosts file Other SSH applications require you to manually create a known hosts file and place t...

Page 157: ...ver any active SSH sessions will continue to run unless explicitly terminated with the CLI kill command To Generate or Erase the Switch s Public Private RSA Host Key Pair Because the host key pair is stored in flash instead of the running config file it is not necessary to use write memory to save the key pair Erasing the key pair automatically disables SSH Syntax crypto key generate ssh rsa Gener...

Page 158: ... switch key to the key as stored in your client s known hosts file note that the formatting and comments need not match For version 1 keys the three numeric values bit size exponent e and modulus n must match for PEM keys only the PEM encoded string itself must match Notes Zeroizing the switch s key automatically disables SSH sets ip ssh to no Thus if you zeroize the key and then generate a new ke...

Page 159: ... a direct serial connection from a management station to the switch 1 Use a terminal application such as HyperTerminal to display the switch s public key with the show crypto host public key command figure 6 5 2 Bring up the SSH client s known host file in a text editor such as Notepad as straight ASCII text and copy the switch s public key into the file 3 Ensure that there are no changes in break...

Page 160: ...e switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 6 7 on page 6 13 Phonetic hash Outputs the key as a relatively short series of ...

Page 161: ...ion of its public key for file storage and default display format 4 Enable SSH on the Switch and Anticipate SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to SSH clients Note Before enabling SSH on the switch you must generate the switc...

Page 162: ...switch and learn the usernames and passwords controlling access to the switch You can remove this possibility by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This requires a knowledge of where your client stores public keys plus the knowledge of what key editing and fi...

Page 163: ...s on the ProCurve switches are 49 80 1506 and 1513 Figure 6 10 Example of Enabling IP SSH and Listing the SSH Configuration and Status timeout 5 120 The SSH login timeout value default 120 seconds The switch uses these five settings internally for transactions with clients See the Caution on page 6 18 Enables SSH on the switch Lists the current SSH configuration and status With SSH running the swi...

Page 164: ...button which removes local password protection keepphysical access to the switch restricted to authorized personnel 5 Configure the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch s public key by an SSH client However only Option B page 6 19 results in the switch also authenticating the client s public key Also for a more detailed discussi...

Page 165: ...Client Public Key Authentication on page 6 22 With steps 1 3 above completed and SSH properly configured on the switch if an SSH client contacts the switch login authentication automatically occurs first using the switch and client public keys After the client gains login access the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authenti...

Page 166: ...SSH clients you want to use TACACS for primary password authentication and local for secondary password authenti cation with a Manager username of 1eader and a password of m0ns00n To set up this operation you would configure the switch in a manner similar to the following Syntax copy tftp pub key file ip address filename Copies a public key file into the switch aaa authentication ssh login public ...

Page 167: ...nd password Configures the switch to allow SSH access only a client whose public key matchesoneofthe keys in the public key file Configures the primary and secondary password methods for Manager enable access Becomes available after SSH access is granted Copies a public key file named Client Keys pub into the switch Lists the current SSH authentication configuration Shows the contents of the publi...

Page 168: ...blic keys for authenticating clients This requires storing an ASCII version of each client s public key without babble conversion or fingerprint conversion in a client public key file that you create and TFTP copy to the switch In this case only clients that have a private key corresponding to one of the stored public keys can gain access to the switch using SSH That is if you use this feature onl...

Page 169: ...o the client 5 The client uses its private key to decrypt the byte sequence 6 The client then a Combines the decrypted byte sequence with specific session data b Uses a secure hash algorithm to create a hash version of this informa tion c Returns the hash version to the switch 7 The switch computes its own hash version of the data in step 6 and compares it to the client s hash version If they matc...

Page 170: ...otes Comments in public key files such as smith support cairns com in figure 6 13 may appear in a SSH client application s generated public key While such comments may help to distinguish one key from another they do not pose any restriction on the use of a key by multiple clients and or users Public key illustrations such as the key shown in figure 6 13 usually include line breaks as a method for...

Page 171: ...th a CR LF Note on Public Keys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key Although you can manually add or edit any comments the client application adds to the end of the key such as the smith fellow at the end of the key in figure 6 13 on page 6 24 Property Supported Value Comments Key Format ASCII See figure 6 7 on...

Page 172: ...es the key s for operator access default follow with the append option to add the key s show crypto client public key manager operator keylist str babble fingerprint Displays the client public key s in the switch s current client public key file The manager option selects the manager public keys The operator option selects operator public keys The keylist str option allows you to select keys to di...

Page 173: ...e switch or reboot the switch You can remove the existing client public key file or specific keys by executing the clear crypto public key command Syntax clear crypto public key Deletes the client public key file from the switch Syntax clear crypto public key 3 Deletes the entry with an index of 3 from the client public key file on the switch Enabling Client Public Key Authentication After you TFT...

Page 174: ...eer unreachable Indicates an error in communicating with the tftp server or notfindingthefiletodownload Causesincludesuchfactors as Incorrect IP configuration on the switch Incorrect IP address in the command Case upper lower error in the filename used in the command Incorrect configuration on the TFTP server The file is not in the expected location Network misconfiguration No cable connection to ...

Page 175: ... are more than ten public keys in the key file and switchtotal Deletesomekeysfromtheswitchorfile The switch does not detect duplicate keys One or more keys in the file is corrupted or is not a valid rsa public key Refer to To Create a Client Public Key Text File on page 24 for information on client public key properties Error Requested keyfile does not exist The client key does not exist in the sw...

Page 176: ...6 30 Configuring Secure Shell SSH Messages Related to SSH Operation ...

Page 177: ...nfiguring and Using SSL for Switch and Client Authentication 7 5 General Operating Rules and Notes 7 6 1 Assign Local Login Operator and Enable Manager Password 7 7 2 Generate the Switch s Server Host Certificate 7 9 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior 7 17 Common Errors in SSL Setup 7 21 ...

Page 178: ...uthentication Note SSL in ProCurve switches is based on the OpenSSL software toolkit For more information on OpenSSL visit http www openssl com Server Certificate authentication with User Password Authentication This option is a subset of full certificate authentication of the user and host It occurs only if the switch has SSL enabled As in figure 7 1 the switch authenticates itself to SSL enabled...

Page 179: ...p part of server host certificate and private portion is stored in switch flash not user accessible Digital Certificate A certificate is an electronic passport that is used to establish the credentials of the subject to which the certificate was issued Information contained within the certificate includes name of the subject serial number date of validity subject s public key and the digital signa...

Page 180: ... signed certificates Trusted certificates are distributed as an integral part of most popular web clients see browser documentation for which root certificates are pre installed Manager Level Manager privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level password configured in the switch SSL Enabled 1 A certificate key...

Page 181: ...tionality See the browser documentation for addi tional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 7 7 2 Generate a host certificate on the switch page 7 9 i Generate certificate key pair ii Generate host certificate You need to do this only once The switch s own public private certificate key pair and certificate are stored in the switch ...

Page 182: ...ty breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config command The public private certificate key pair is not be confused with the SSH public private key pair The certificate key pair and the SSH key pair are independent of each other which means a switch can have two keys ...

Page 183: ...ast a Manager password to the switch Otherwise under some circumstances anyone with Telnet web or serial port access could modify the switch s configuration SSL Related CLI Commands in This Section Page web management ssl page 7 19 show config page 7 19 show crypto host cert page 7 12 crypto key generate cert rsa 512 768 1024 page 7 10 zeroize cert page 7 10 crypto host cert generate self signed a...

Page 184: ...ement and Configuration Guide for your switch Figure 7 2 Example of Configuring Local Passwords 1 Proceed to the security tab and select device passwords button 2 Click in the appropriate box in the Device Passwords window and enter user names and passwords You will be required to repeat the password strings in the confirmation boxes Both the user names and passwords can be up to 16 printable ASCI...

Page 185: ... and digitally signed by the switch Since self signed certificates are not signed by a third party certificate authority there is no audit trail to a root CA certificate and no fool proof means of verifying authenticity of certificate The second type is a certificate authority signed certificate which is digitally signed by a certificate authority has an audit trail to a root CA certificate and ca...

Page 186: ...r when generating a new certificate The existing key pair may be re used and the crypto key generate cert command does not have to be executed ii Generate a new self signed host certificate This is done with the crypto host cert generate self signed Arg List command Note When generating a self signed host certificate on the CLI if there is not certificate key generated this command will fail Synta...

Page 187: ...owever good security practices would suggest a valid duration of about one year between updates of passwords and keys Common name This should be the IP address or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switch Organization This is the name of the entity e g company where the switch is ...

Page 188: ...new key and server certificate you must also re enable SSL with the web management ssl command before the switch can resume SSL operation CLI Command to view host certificates To view the current host certificate from the CLI you use the show crypto host cert command For example to display the new server host certificate Figure 7 4 Example of show crypto host cert command Syntax show crypto host c...

Page 189: ...wcertificatekeypairand self signed CA signed certificate The right half displays information on the currently installed certificate ii Select the Create Certificate Certificate Request radio button iii Select Self Signed in the Certificate Type drop down list iv Select the RSA Key Size desired If you want to re use the current certificate key select Current from this list v Fill in the remaining c...

Page 190: ...eb browsers inter face Figure 7 5 Self Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface 1 Select the Security tab 2 Select the SSL button Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments ...

Page 191: ...ce For more information on how to access the web browser interface refer to the chapter titled Using the Web Browser Inter face in the Management and Configuration Guide for your switch The installation of a CA signed certificate involves interaction with other entities and consists of three phases The first phase is the creation of the CA certificate request which is then copied off from the swit...

Page 192: ...ist iv Select the key size from the RSA Key Size drop down list If you want to re use the current certificate key select Current from this list v Fill in the remaining certificate arguments Refer to Comments on Certificate Fields on page 7 11 vi Click on Apply Changes to create the certificate request A new web browser page appears consisting of two text boxes The switchuses the upper text box for...

Page 193: ...st Certificate Request Reply BEGIN CERTIFICATE MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93...

Page 194: ...ate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequivocally As long as you are confident that an unauthorized device is not using the switch s IP address in an attempt to gain access to your data or network you can accept the connection Note When an SSL client connects to the switch for the first time it is possible fo...

Page 195: ...SL To enable SSL on the switch i Proceed to the Security tab then the SSL button ii Select SSL Enable to on and enter the TCP port you desire to connect on iii Click on the Apply Changes button to enable SSL on the port To disable SSL on the switch do either of the following i Proceed to the Security tab then the SSL button ii Select SSL Enable to off iii Click on the Apply Changes button to enabl...

Page 196: ...Caution SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides you may want to disable Telnet access no telnet If you need to increase SNMP security use SNMP version 3 only for SNMP access Another security measure is to use the A...

Page 197: ...eb browser interface You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the Web browser interface on page 7 13 You may be using a reserved TCP port Refer to Note on Port Number on page 7 20 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior on page 7 17 Your browser may...

Page 198: ...7 22 Configuring Secure Socket Layer SSL Common Errors in SSL Setup ...

Page 199: ...verview Configuring 802 1X Authentication on the Switch 8 15 Configuring Switch Ports as 802 1X Authenticators 8 17 1 Enable 802 1X Authentication on Selected Ports 8 17 2 Reconfigure Settings for Port Access 8 20 3 Configure the 802 1X Authentication Method 8 23 4 Enter the RADIUS Host IP Address es 8 24 5 Enable 802 1X Authentication on the Switch 8 24 6 Optionally Resetting Authenticator Operat...

Page 200: ...ch Ports To Operate As Supplicants for 802 1X Connections to Other Switches 8 42 Displaying 802 1X Configuration Statistics and Counters 8 47 Show Commands for Port Access Authenticator 8 47 Viewing 802 1X Open VLAN Mode Status 8 50 Show Commands for Port Access Supplicant 8 53 How RADIUS 802 1X Authentication Affects VLAN Operation 8 54 Messages Related to 802 1X Operation 8 58 ...

Page 201: ...is manual includes the follow ing Switch operation as both an authenticator for supplicants having a point to point connection to the switch and as a supplicant for point to point connections to other 802 1X aware switches Authentication of 802 1X clients using a RADIUS server and either EAP Extensible Authentication Protocol or CHAP Challenge Hand shake Authentication Protocol Provision for enabl...

Page 202: ...isplay session counters User Authentication Methods The switch offers two methods for using 802 1X access control Generally the Port Based method supports one 802 1X authenticated client on a port which opens the port to an unlimited number of clients The Client Based method supports up to two 802 1X authenticated clients on a port In both cases there are operating details to be aware of that can ...

Page 203: ...ly authenticates The most recent client authentication determines the untagged VLAN membership for the port Also any client able to use the port can access any tagged VLAN memberships statically configured on the port provided the client is configured to use the available tagged VLAN memberships If the first client authenticates and opens the port and then one or more other clients connect without...

Page 204: ...wnloading 802 1X Supplicant Software For clients that do not have the necessary 802 1X supplicant software there is also the option to configure the 802 1X Open VLAN mode This mode allows you to assign such clients to an isolated VLAN through which you can provide the necessary supplicant software these clients need to begin the authentication process Refer to 802 1X Open VLAN Mode on page 8 26 Au...

Page 205: ...uch clients use the same untagged port based VLAN membership Authentication Server The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator In the case of a switch running 802 1X this is a RADIUS server unless local authentication is used in which case the switch performs this function using its own username and password for authenti...

Page 206: ...ces Tagged Membership in a VLAN This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously If a client connected to the port has an operating system that supports 802 1Q VLAN tagging then the client can access VLANs for which the port is a tagged member If the client does not support VLAN tagging then it can access only a VLAN for which the port is an untagged membe...

Page 207: ... there is no authenticated client already using the port Untagged Membership in a VLAN A port can be an untagged member of only one VLAN In the factory default configuration all ports on the switch are untagged members of the default VLAN An untagged VLAN membership is required for a client that does not support 802 1q VLAN tagging A port can simultaneously have one untagged VLAN membership and mu...

Page 208: ...o log on 1 When the switch detects the client on the port it blocks access to the LAN from that port 2 The switch responds with an identity request 3 The client responds with a user name that uniquely defines this request for the client 4 The switch responds in one of the following ways If 802 1X port access on the switch is configured for RADIUS authentication the switch then forwards the request...

Page 209: ...nect port A1 on switch A to port B5 on switch B Figure 8 2 Example of Supplicant Operation 1 When port A1 on switch A is first connected to a port on switch B or if the ports are already connected and either switch reboots port A1 begins sending start packets to port B5 on switch B If after the supplicant port sends the configured number of start packets it does not receive a response it assumes t...

Page 210: ... supplicant and an authenticator at the same time General Operating Rules and Notes In the client based mode when there is an authenticated client on a port the following traffic movement is allowed Multicast and broadcast traffic is allowed on the port Unicast traffic to authenticated clients on the port is allowed All traffic from authenticated clients on the port is allowed When a port on the s...

Page 211: ...rity protection but switch B will not be allowed access to switch A If a client already has access to a switch port when you configure the port for 802 1X authenticator operation the port will block the client from further network access until it can be authenticated On a port configured for 802 1X with RADIUS authentication if the RADIUS server specifies a VLAN for the supplicant and the port is ...

Page 212: ...802 1X Open VLAN mode for clients that are not 802 1X aware that is for clients that are not running 802 1X supplicant software This will require you to provide download able software that the client can use to enable an authentication session For more on this topic refer to 802 1X Open VLAN Mode on page 8 26 5 For each port you want to operate as a supplicant determine a username and password pai...

Page 213: ...an initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 8 26 3 Configure the 802 1X authentication type Options include Local Operator username and password the default This option allows a client to use the switch s local username and password as valid 802 1X credentials for network access EAP RADIUS This option requires ...

Page 214: ... for 802 1X operation and if desired the action to take if an unauthorized device attempts access through an 802 1X port See page 8 40 8 If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802 1X authenticator on another device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connectio...

Page 215: ...en you enable 802 1X authentication on a port the switch automatically disables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can config ure it for 802 1X authentication 802 1X Authentication Commands Page no aaa port access authenticator ethernet port list 8 18 control quiet period tx period client limit supplicant t...

Page 216: ...tion from port list To activate configured 802 1X operation you must enable 802 1X authentication Refer to 5 Enable 802 1X Authentication on the switch on page 8 24 Syntax aaa port access authenticator client limit port list 1 2 Used after executing aaa port access authenticator port list above to convert authentication from port based to client based Specifies client based 802 1X authentication a...

Page 217: ...from client based authentication to port based authentication which is the default setting for ports on which authentication is enabled Executing aaa port access authenticator port list enables 802 1X authenti cation on port list and enables port based authentica tion page 8 18 If a port currently has no authenticated client sessions the next authenticated client session the port accepts determine...

Page 218: ... to provide 802 1X credentials or support 802 1X authentication You can still configure console Telnet or SSH security on the port auto the default The device connected to the port must support 802 1X authentication and provide valid credentials to get network access Optional You can use the Open VLAN mode to provide a path for clients without 802 1X supplicant software to down load this software ...

Page 219: ...erver response to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication attempts that must time out...

Page 220: ...d of time the switch waits for client activity before removing an inactive client from the port Default 300 seconds auth vid vid Configures an existing static VLAN to be the Autho rized Client VLAN Refer to 802 1X Open VLAN Mode on page 8 26 initialize On the specified ports blocks inbound and outbound traffic and restarts the 802 1X authentication process This happens only on ports configured wit...

Page 221: ... more EAP capable RADIUS servers Figure 8 5 Example of 802 1X Port Access Authentication Syntax aaa authentication port access local eap radius chap radius Determines the type of RADIUS authentication to use local Use the switch s local username and password for supplicant authentication eap radius Use EAP RADIUS authentication Refer to the documentation for your RADIUS server chap radius Use CHAP...

Page 222: ...vate it with this command Syntax radius host ip address Adds a server to the RADIUS configuration key server specific key string Optional Specifies an encryption key for use during authentication or accounting sessions with the spec ified server This key must match the key used on the RADIUS server Use this option only if the specified server requires a different key than configured for the global...

Page 223: ...stics on specific ports Syntax aaa port access authenticator port list initialize On the specified ports blocks inbound and outbound traffic and restarts the 802 1X authentication process This happens only on ports configured with controlauto and actively operating as 802 1X authenticators reauthenticate On the specified ports forces reauthentication unless the authenticator is in HELD state clear...

Page 224: ...t could not access the network This prevented the client from Acquiring IP addressing from a DHCP server Downloading the 802 1X supplicant software necessary for an authen tication session The 802 1X Open VLAN mode solves this problem by temporarily suspending the port s static tagged and untagged VLAN memberships and placing the port in a designated Unauthorized Client VLAN In this state the clie...

Page 225: ...he untagged VLAN membership for that port Clients that connect without trying to authenticate will have access to the untagged VLAN mem bership that is currently assigned to the port VLAN Membership Priorities Following client authentication an 802 1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration The port also becomes an untagged member of...

Page 226: ... per port 802 1X Open VLAN mode authentication Unauthorized Client VLAN Configure this VLAN when unauthen ticated friendly clientswillneed accesstosomeservicesbefore being authenticated Authorized Client VLAN Configure this VLAN for authenticated clients when the port is not statically configured as an untagged member of a VLAN you want clients to use or when the port is statically configured as a...

Page 227: ... blocked while the port is a member of the Unauthorized Client VLAN Authorized Client VLAN After the client is authenticated the port drops membership in the Unauthorized Client VLAN and becomes an untagged member of this VLAN Note if RADIUS authentication assigns a VLAN the port temporarily becomes a member of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is conn...

Page 228: ...of another VLAN the port s access to this other VLAN is restored Note If RADIUS authentication assigns a VLAN to the port this assignment overrides any statically configured untagged VLAN membership on the port while the client is connected If the port is statically configured as a tagged member of a VLAN that is not used by 802 1X Open VLAN mode the port returns to tagged membership in this VLAN ...

Page 229: ...ip in that VLAN Table 8 1 802 1X Open VLAN Mode Options 802 1X Per Port Configuration Port Response Condition Rule Static VLANs used as Authorized Client or Unauthorized Client VLANs These must be configured on the switch before you configure an 802 1X authenticator port to use them Use the vlan vlan id command or the VLAN Menu screen in the Menu interface VLAN Assignment Received from a RADIUS Se...

Page 230: ...uthorized Client VLAN also untagged While the Authorized Client VLAN is in use the port does not have access to the statically configured untagged VLAN Whentheauthenticatedclientdisconnects theswitchremovesthe port from the Authorized Client VLAN and moves it back to the untagged membership in the statically configured VLAN After client authentication the port resumes any tagged VLAN memberships f...

Page 231: ... VLAN regardless ofotherfactors This meansthata client without802 1X client authentication software cannot access a configured Unauthenticated Client VLAN if another authenticated client is already using the port Note Limitation on Using an Unauthorized Client VLAN on an 802 1X Port Configured to Allow Multiple Client Access You can optionally enable switches to allow up to 2 clients per port The ...

Page 232: ...d client Statically configure an Authorized Client VLAN in the switch The only ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients 802 1X authen ticator ports do not have to be members of this VLAN Note that if an 802 1X authenticator port is an untagged member of another VLAN the port s access to that other VLAN will be temporar...

Page 233: ...pplicant software that supports the use of local switch passwords Caution Ensure that you do not introduce a security risk by allowing Unauthorized Client VLAN access to network services or resources that could be compro mised by an unauthorized client Configuring General 802 1X Operation These steps enable 802 1X authentication and must be done before configuring 802 1X VLAN operation 1 Enable 80...

Page 234: ...sUse EAP RADIUS authentication Refer to the documentation for your RADIUS server chap radiusUse CHAP RADIUS MD5 authentication Refer to the documentation for your RADIUS server software Syntax radius host ip address Adds a server to the RADIUS configuration key server specific key string Optional Specifies an encryption key for use with the specified server This key must match the key used on the ...

Page 235: ...VLAN Mode Use these commands to actually configure Open VLAN mode For a listing of the steps needed to prepare the switch for using Open VLAN mode refer to Preparation on page 8 34 For example suppose you want to configure 802 1X port access with Open VLAN mode on ports A10 A20 and These two static VLANs already exist on the switch Unauthorized VID 80 Authorized VID 81 Your RADIUS server has an IP...

Page 236: ...that port is configured as a member Note that the Menu interface will still display the port s statically configured VLAN s A VLAN used as the Unauthorized Client VLAN should not allow access to resources that must be protected from unauthenticated clients ProCurve config aaa authentication port access eap radius Configures the switch for 802 1X authentication using an EAP RADIUS server ProCurve c...

Page 237: ... member of the Unauthorized Client VLAN until the client disconnects from the port During an authentication session on a port in 802 1X Open VLAN mode if RADIUS specifies membership in an untagged VLAN this assignment overrides port membership in the Authorized Client VLAN If there is no Authorized Client VLAN configured then the RADIUS assignment overrides any untagged VLAN for which the port is ...

Page 238: ...ort Note Port Security operates with 802 1X authentication as described above only if the selected ports are configured as 802 1X that is with the control mode in the port access authenticator command set to auto For example to configure port A10 for 802 1X authenticator operation and display the result ProCurve config aaa port access authenticator e A10 control auto ProCurve config show port acce...

Page 239: ...he port but set to authorized Force Authorized use this command syntax to allow only an 802 1X aware device Not e If 802 1X port access is configured on a given port then port security learn mode for that port must be set to either continuous the default or port access In addition to the above to use port security on an authenticator port use the per port client limit option to control how many MA...

Page 240: ... port access auth port list client limit 1 8 Configures client based 802 1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn For more on this command refer to Configuring Switch Ports as 802 1X Authenticators on page 8 17 Or no aaa port access auth port list client limit Configures port based 802 1X authentication on the specified port...

Page 241: ...itions to the authenticated state If switch B is operating properly and is not 802 1X aware then the link should begin functioning normally but without 802 1X security If after sending one or more start request packets port A1 receives a request packet from port B5 then switch B is operating as an 802 1X authenticator The supplicant port then sends a response ID packet If switch B is configured fo...

Page 242: ...licant related parameters Configuring a Supplicant Switch Port Note that you must enable suppli cant operation on a port before you can change the supplicant configuration Thismeansyoumustexecutethe supplicantcommandoncewithoutanyother parameters then execute it again with a supplicant parameter you want to configure If the intended authenticator port uses RADIUS authentication then use the identi...

Page 243: ...uthen tication request If the intended authenticator port is configured for RADIUS authentication then user name and password must be the username and password expected by the RADIUS server If the intended authenticator port is configured for Local authentication then username and password must be the username and password configured on the Authenticator switch Defaults Null secret Enter secret pa...

Page 244: ...authenticator port Default 60 seconds start period 1 300 Sets the time period between Start packet retransmis sions That is after a supplicant sends a start packet it waits during the start period for a response If no response comes during the start period the supplicant sends a new start packet The max start setting above specifies how many start attempts are allowed in the session Default 30 sec...

Page 245: ...on counters displays whether port access authenticator is active Yes or No and the status of all ports configured for 802 1X authentication The Authenticator Backend State in this data refers to the switch s interaction with the authentication server With port list only same as above but limits port status to only the specified port Does not display data for a specified port that is not enabled as...

Page 246: ...er port access authenticator is active The statistics of the ports configured as 802 1X authenticators including the supplicant s MAC address as determined by the content of the last EAPOL frame received on the port Does not display data for a specified port that is not enabled as an authenticator session counters e port list Shows Whether port access authenticator is active The session status on ...

Page 247: ...her it meets 802 1X criteria Unauthorized Network access is blocked to any device connected to the port regardless of whether the device meets 802 1X criteria Max reqs Number of authentication attempts that must time out before authentication fails and the authentication session ends Quiet Period Period of time in seconds during which the port does not try to acquire a supplicant TX Timeout Period...

Page 248: ...h VLAN ID is configured and matches the Current VLAN ID in the above command output an authenticated client is connected to the port This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN An Unauth VLAN ID appearing in the Current VLAN ID column for the same port indicates an unauthenticated client is connected to this port Assumes that the port is not ...

Page 249: ...res the port to allow network access to any connected device that supports 802 1X authentication and provides valid 802 1X credentials This is the default authenticator setting FA Configures the port for Force Authorized which allows access to any device connected to the port regardless of whether it meets 802 1X criteria You can still configure console Telnet or SSH security on the port FU Config...

Page 250: ...ed port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Table 8 3 Open VLAN Mode Status Status Indicator Meaning Syntax show vlan vlan id Displays the port status for the selected VLAN including an indication of which port memberships have been temporarily overridden by Open VLAN mode Note ...

Page 251: ...ction statistics it most recently received until one of the above events occurs Also if you move a link with an authenticator from one Syntax show port access supplicant e port list statistics show port access supplicant e port list Shows the port access supplicant configuration excluding the secret parameter for all ports or port list ports configured on the switch as supplicants The Supplicant S...

Page 252: ...t does not exist or is a dynamic VLAN created by GVRP authentication fails Also for the session to proceed the port must be an untagged member of the required VLAN If it is not the switch temporarily reassigns the port as described below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not alrea...

Page 253: ...t that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLAN on any port You can use the show vlan vlan id command to view this temporary change to the active configuration as shown below You can see the temporary VLAN assignment ...

Page 254: ...emporarily Drops Port 22 for the 802 1X Session This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802 1X session This is to accommodate an 802 1X client s access authenticated by a RADIUS server where the server included an instruction to put the client s access on VLAN 22 Note With the current VLAN configuration figure 8 10 the only time port A2 appears in this show vlan 22 ...

Page 255: ...e 802 1X Session Ends Notes Any port VLAN ID changes you make on 802 1X aware ports during an 802 1X authenticated session do not take effect until the session ends With GVRP enabled a temporary untagged static VLAN assignment created on a port by 802 1X authentication is advertised as an existing VLAN If this temporary VLAN assignment causes the switch to disable a configured untagged static VLAN...

Page 256: ...t on page 8 44 No server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page...

Page 257: ... Between down and Port Security 9 19 Deploying MAC Lockdown 9 21 MAC Lockout 9 25 Port Security and MAC Lockout 9 27 Web Displaying and Configuring Port Security Features 9 28 Reading Intrusion Alerts and Resetting Alert Flags 9 28 Notice of Security Violations 9 28 How the Intrusion Log Operates 9 29 Keeping the Intrusion Log Current by Resetting Alert Flags 9 30 Using the Event Log To Find Intru...

Page 258: ... intruders from receiving broadcast and multi cast traffic Basic Operation Default Port Security Operation The default port security setting for each port is off or continuous That is any device can access a port without causing a security reaction Intruder Protection A port that detects an intruder blocks the intruding device from transmitting to the network through that port Feature Default Menu...

Page 259: ...allowed to send inbound traffic through the port This feature Closes the port to inbound traffic from any unauthorized devices that are connected to the port Provides the option for sending an SNMP trap notifying of an attempted security violation to a network management station and optionally disables the port For more on configuring the switch for SNMP management refer to Trap Receivers and Auth...

Page 260: ...ion Ports configured for either Active or Passive LACP and which are not members of a trunk can be configured for port security Switch A Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A PC 2 MAC Address NOT Authorized by Switch A PC 3 MAC Address NOT Authorized by Switch A Switch C MAC Address NOT Authorized by Switch A Switch A Port Secu...

Page 261: ...t detects or not d For each port what security actions do you want The switch automatically blocks intruders detected on that port from transmit ting to the network You can configure the switch to 1 send intrusion alarms to an SNMP management station and to 2 option ally disable the port on which the intrusion was detected e How do you want to learn of the security violation attempts the switch de...

Page 262: ...is section describes the CLI port security command and how the switch acquires and maintains authorized addresses Note Use the global configuration level to execute port security configuration commands show port security 9 11 port security 9 12 ethernet port list 9 12 learn mode 9 12 address limit 9 12 mac address 9 12 action 9 12 clear intrusion flag 9 12 no port security 9 12 ...

Page 263: ...d address limit That is if you enter fewer MAC addresses than you authorized the port fills the remainder of the address allowance with MAC addresses it automatically learns For example if you specify three authorized devices but enter only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses ...

Page 264: ...ent Based Access Control 802 1X on page 8 1 address limit integer When Learn Mode is set to static static learn or configured static configured this parameter specifies the number of authorized devices MAC addresses to allow Default 1 Range 1 to 8 mac address mac addr Available for static static learn and configured learn modes Allows up to eight authorized devices MAC addresses per port depending...

Page 265: ... alarm Causes the switch to send an SNMP trap to a network management station send disable Available only with learn mode configured and learn mode static Causes the switch to send an SNMP trap to a network management station and disable the port If you subsequently re enable the port without clearing the port s intrusion flag the port will block further intruders but the switch will not disable t...

Page 266: ...the startup config file to match the running config file Assigned Authorized MAC Addresses If you manually assign a MAC address using mac address mac addr and then execute write memory the assigned MAC address remains in memory unless removed by one of the methods described below Removing Learned and Assigned Static MAC Addresses To remove a static MAC address do one of the following Delete the ad...

Page 267: ... security displays operating control settings for all ports on a switch For example Figure 9 2 Example Port Security Listing Ports A7 and A8 Show the Default Setting Withportnumbersincludedinthecommand showport securitydisplaysLearn Mode Address Limit alarm Action and Authorized Addresses for the spec ified ports on a switch The following example lists the full port security configuration for a si...

Page 268: ...mac addr mac addr action none send alarm send disable clear intrusion flag For the configured option above refer to the Note on page 9 6 no port security port list mac address mac addr mac addr mac addr Specifying Authorized Devices and Intrusion Responses Learn Mode Static This example configures port A1 to automatically accept the first device MAC address it detects as the only authorized device...

Page 269: ...ort to static Learn Mode restores the configured device authorization Learn Mode Configured This option allows only MAC addresses specifi cally configured with learn mode configured mac address mac address and does not automatically learn non specified MAC addresses learned from the network This example configures port A1 to Allow only a MAC address of 0c0090 123456 as the authorized device Reserv...

Page 270: ...After executing the above command the security configuration for port A1 appears as Figure 9 5 Example of Adding a Second Authorized Device to a Port Note The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list If you change aportfromstatic tocontinuous learnmode theportretainsinmemory any authorized addresse...

Page 271: ...A1 that raises the address limit to 2 and specifies the additional device s MAC address For example ProCurve config port security a1 mac address 0c0090 456456 address limit 2 Removing a Device From the Authorized List for a Port Configured for Learn Mode Static This command option removes unwanted devices MAC addresses from the Authorized Addresses list An Authorized Address list is available for ...

Page 272: ...vice to automat ically become authorized If you use learn mode configured instead the switch cannot automatically add detected devices not included in the mac address configuration Refer to the Note on page 9 6 For example suppose port A1 is configured as shown below and you want to remove 0c0090 123456 from the Authorized Address list Figure 9 7 Example of Two Authorized Addresses on Port A1 The ...

Page 273: ...he MAC Address can only be used on the assigned port and the client device will only be allowed on the assigned VLAN Not e Port security and MAC Lockdown are mutually exclusive on a given port You can either use port security or MAC Lockdown but never both at the same time on the same port You will need to enter a separate command for each MAC VLAN pair you wish to lock down If you do not specify ...

Page 274: ... the port of the intruder If the device computer PDA wireless device is moved to a different port on the switch by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch the port will detect that the MAC Address is not on the appropriate port and will continue to send traffic out the port to which the addre...

Page 275: ...MAC address and a VLAN for lockdown MAC Lockdown on the other hand is not a list It is a global parameter on the switch that takes precedence over any other security mechanism The MAC Address will only be allowed to communicate using one specific port on the switch MAC Lockdown is a good replacement for port security to create tighter control over MAC addresses and which ports they are allowed to ...

Page 276: ...sages in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a messag...

Page 277: ... paths The purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing th...

Page 278: ...You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the edge switches That way users on the edge can still use other network resources but they cannot spoof Server A and hijack data traffic which is intended for that server alone 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch Inter...

Page 279: ...ge any traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect agains...

Page 280: ...the above figure would defeat the purpose of using STP or having an alternate path Technologies such as STP are primarily intended for an internal campus network environment in which all users are trusted STP does not work well with MAC Lockdown If you deploy MAC Lockdown as shown in the Model Topology in figure 9 9 page 9 22 you should have no problems with either security or connectivity M i x e...

Page 281: ...lemented on a per switch assignment You can think of MAC Lockout as a simple blacklist The MAC address is locked out on the switch and on all VLANs No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout The number of MAC lockouts allowed per VLAN depends on the number of VLANs you have configured as shown below Table 9 1 Number of MAC Lockouts with VLANS To fully loc...

Page 282: ...ll ports MAC Lockout overrides MAC Lockdown port security and 802 1X authenti cation You cannot use MAC Lockout to lock Broadcast or Multicast Addresses Switches do not learn these Switch Agents The switch s own MAC Address If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file Lockout logging format W 10 30 03 21 35 15 maclock module...

Page 283: ...careful if you use both together however If a MAC Address is locked out and appears in a static learn table in port security the apparently authorized address will still be locked out anyway MACentryconfigurationssetbyportsecurity willbe keptevenifMAC Lockout is configured and the original port security settings will be honored once the Lockout is removed A port security static address is permitte...

Page 284: ...for that port and makes the intrusion information available as described below While the switch can detect additional intrusions for the same port it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset When a security violation occurs on a port configured for Port Security the switch responds in the following ways to n...

Page 285: ...l you acknowledge the earlier intrusion event by reset ting the alert flag The Intrusion Log lists the 20 most recently detected security violation attempts regardless of whether the alert flags for these attempts have been reset This gives you a history of past intrusion attempts Thus for example if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1...

Page 286: ... the port s alert flag and disables the port If you re enable the port without resetting the port s alert flag then the port operates as follows The port comes up and will block traffic from unauthorized devices it detects If the port detects another intruder it will send another SNMP trap but will not become disabled again unless you first reset the port s intrusion flag This operation enables th...

Page 287: ...ledged reset This is indicated by the following Because the Port Status screen figure 9 14 on page 9 31 does not indicate an intrusion for port A1 the alert flag for the intru sion on port A1 has already been reset Since the switch can show only one uncleared intrusion per port the older intrusion for port A3 in this example has also been previously reset The Intrusion Alert column shows Yes for a...

Page 288: ...the Intrusion Alert column in the port status display no longer shows Yes for the port on which the intrusion occurred port A3 in this example Because the Intrusion Log provides a history of the last 20 intrusions detected by the switch resetting the alert flags does not change its content Thus displaying the Intrusion Log again will result in the same display as in figure 9 15 above CLI Checking ...

Page 289: ...leared by earlier use of the clear intrusion log or the port security port list clear intrusion flag command The intrusion log holds up to 20 intrusion records and deletes intrusion records only when the log becomes full and new intrusions are subsequently added The prior to text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion o...

Page 290: ...us Screen After Alert Flags Reset For more on clearing intrusions see Note on Send Disable Operation on page 9 30 Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as W MM DD YY HH MM SS FFI port A3 Security Violation where W is the severity level of the log entry and FFI is the system module that generated the entry For further information display the Intru...

Page 291: ...de for your switch Web Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags 1 Check the Alert Log by clicking on the Status tab and the Overview button If there is a Security Violation entry do the following a Click on the Security tab b Click on IntrusionLog Ports with Intrusion Flag indicates any ports for which the alert flag has not been cleared c To clear the current ale...

Page 292: ...eset button Device Reset or Reboot Switch the Intrusion Log will list the time of all currently logged intrusions as prior to the time of the reset Alert Flag Status for Entries Forced Off of the Intrusion Log If the Intrusion Log is full of entries for which the alert flags have not been reset a newintrusionwillcausetheoldest entryto drop offthe list butwill not change the alert flag status for t...

Page 293: ... The command applies per port and filters the outbound traffic from a port This allows the configuration of two port groups on a switch protected ports and unprotected ports The ports have these characteristics Trafficfromprotectedportsisnotforwardedtootherprotectedports Protected ports can communicate with unprotected ports but not with each other Unprotected ports can communicate with all ports ...

Page 294: ...e been selected as protected ports Figure 9 22 Example of Running Config File Showing Protected Ports ProCurve config protected ports 7 Must have at least 2 ports configured as protected ProCurve config protected ports 7 8 Must configure at least two ports ProCurve config show protected ports Protected ports 7 8 Unprotected ports 1 6 9 48 ProCurve config show running config Running configuration J...

Page 295: ... internet Ports 2 and 4 are able to access the internet but are not able to communicate with each other or any of the other rooms that are connected to protected ports Figure 9 23 Example With Ports 1 8 Protected and Ports 9 and 10 Unprotected 2 4 9 10 Switch Router or Internet Room 2 Room 4 Unprotected Protected 1 8 3 5 6 7 Ports 1 8 are protected and cannot communicatewith each other They can on...

Page 296: ...9 40 Configuring and Monitoring Port Security Configuring Protected Ports ...

Page 297: ...enu Viewing and Configuring IP Authorized Managers 10 5 CLI Viewing and Configuring Authorized IP Managers 10 6 Web Configuring IP Authorized Managers 10 9 Building IP Masks 10 9 Configuring One Station Per Authorized Manager IP Entry 10 9 Configuring Multiple Stations Per Authorized Manager IP Entry 10 10 Additional Examples for Authorizing Multiple Stations 10 12 Operating Notes 10 12 ...

Page 298: ...tures If the Authorized IP Managers feature disallows access to the device then access is denied Thus with authorized IP managers configured having the correct passwords is not sufficient for accessing the switch through the network unless the station attempting access is also included in the switch s Authorized IP Managers configuration You can use Authorized IP Managers along with other access s...

Page 299: ...res available in the switch and preventing unauthorized access to data on your management stations Access Levels The Authorized IP Manager feature can assign an access level to stations using Telnet SNMPv1 or SNMPv2c for switch access The access level the switch allows for authorized stations using SSH SNMPv3 or the web browser interface is determined by the access application itself and not by th...

Page 300: ...tch without having to type an entry for every station All stations in the group defined by the one Authorized Manager IP table entry and its associated IP mask will have the same access level Manager or Operator For more on this topic refer to Config uring Multiple Stations Per Authorized Manager IP Entry on page 10 10 To configure the switch for authorized manager access enter the appropriate Aut...

Page 301: ...d Manager IP address to authorize four IP addresses for management station access The details on how to use IP masks are provided under Building IP Masks on page 10 9 Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch This mask serves a different purpose than IP subnet masks and is applied in a different manner Menu Viewing and...

Page 302: ...d IP Manager s Use the show ip authorized managers command to list IP stations authorized to access the switch For example 5 Press Enter then S for Save to configure the IP Authorized Manager entry 3 Use the default mask to allow access by one management device or edit the mask to allow access by a block of management devices See Building IP Masks on page 10 9 2 Enter an Authorized Manager IP addr...

Page 303: ...h 10 28 227 255 ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access manager IP Mask Authorized Station IP Address Access Mode 255 255 255 252 10 28 227 100 through 103 Manager 255 255 255 254 10 28 227 104 through 105 Manager 255 255 255 255 10 28 227 125 Manager 255 255 255 0 10 28 227 0 through 255 Operator Syntax ip authorized managers ip address Configures one or more aut...

Page 304: ...lue s Notice that any parameters not included in the command will be set to their default ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access operator The above command replaces the existing mask and access level for IP address 10 28 227 101 with 255 255 255 0 and operator The following command replaces the existing mask and access level for IP address 10 28 227 101 with 255 ...

Page 305: ...tton provided on the web browser screen Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask If you have ten or fewer management and or operator stations you can configure them qui...

Page 306: ...bits in the octet are on means only one value is allowed for that octet the value you specify in the corresponding octet of the Authorized Manager IP list A 0 all bits in the octet are off means that any value from 0 to 255 is allowed in the corresponding octet in the IP address of an authorized station You can also specify a series of values that are a subset of the 0 255 range by using a value t...

Page 307: ... Operator Level Device Access 4th Octet of IP Mask 4th Octet of Authorized IP Address 249 5 Bit Numbers Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 Bit Values 128 64 32 16 8 4 2 1 4th Octet of IP Mask 249 Bits 1 and 2 in the mask are off and bits 0 and 3 7 are on creating a value of 249 in the 4th octet Where a mask bit is on the corresponding bit setting in the address of a potentially author...

Page 308: ...xy Servers If you use the web browser interface to access the switch from an authorized IP manager station it is recommended that you avoid the use of a web proxy server in the path between the station and the switch This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list This reduces security by opening switch acc...

Page 309: ... proxy service for web access to the switch To do so add the IP address or DNS name of the switch to the non proxy or Exceptions list in the web browser interface you are using on the authorized station If you don t need proxy server access at all on the authorized station then just disable the proxy server feature in the station s web browser interface ...

Page 310: ...10 14 Using Authorized IP Managers Operating Notes ...

Page 311: ...d 8 27 untagged membership 8 19 802 1x access control authenticate users 8 5 authenticator 8 18 unblock port 8 5 authorized client VLAN defined 8 7 auth vid 8 22 auto 8 20 clear statistics 8 25 control command 8 20 EAPOL 8 8 force authorized 8 20 force unauthorized 8 20 guest VLAN 8 7 8 8 initialize 8 25 logoff period 8 22 max requests 8 21 MD5 8 7 port based access 8 4 client without authenticati...

Page 312: ... troubleshooting 10 12 C certificate CA signed 7 4 root 7 4 self signed 7 4 Clear button to delete password protection 2 5 configuration port security 9 5 RADIUS See RADIUS SSH See SSH connection inactivity time 2 3 console for configuring authorized IP managers 10 5 D DES 6 3 7 3 disclaimer 1 ii duplicate IP address effect on authorized IP managers 10 12 E event log intrusion alerts 9 34 G guest ...

Page 313: ...erator only caution 2 3 pair 2 2 setting 2 4 password pair 2 2 password security 6 18 port security configuration 9 2 port access client limit 8 18 8 19 concurrent 8 18 8 19 See also 802 1X access control Web MAC 8 18 8 19 port security authorized address definition 9 3 authorized IP managers precedence 10 2 basic operation 9 2 configuring 9 5 configuring in browser interface 9 28 9 35 event log 9...

Page 314: ...33 9 36 Privacy Enhanced Mode PEM See SSH privilege mode 4 12 4 15 protected ports 9 37 configuring 9 37 logical ports 9 37 show protected ports show running config 9 38 proxy web server 9 36 Q quick start 1 8 R RADIUS accounting 5 2 5 25 accounting configuration outline 5 27 accounting configure server access 5 28 accounting configure types on switch 5 30 accounting exec 5 26 5 30 accounting inte...

Page 315: ...ient public key clearing 6 27 client public key creating file 6 24 client public key displaying 6 26 configuring authentication 6 18 crypto key 6 11 disabling 6 11 enable 6 16 7 19 enabling 6 15 erase host key pair 6 11 generate host key pair 6 11 generating key pairs 6 10 host key pair 6 11 key babble 6 11 key fingerprint 6 11 keys zeroing 6 11 known host file 6 13 6 15 man in the middle spoofing...

Page 316: ... 4 23 authentication local 4 25 authorized IP managers effect 4 30 authorized IP managers precedence 10 2 configuration authentication 4 11 configuration encryption key 4 22 configuration server access 4 18 configuration timeout 4 23 configuration viewing 4 10 encryption key 4 6 4 18 4 19 4 22 encryption key general operation 4 26 encryption key global 4 23 general operation 4 2 IP address server ...

Page 317: ...eration 3 5 blocked traffic 3 4 CHAP defined 3 9 usage 3 4 client status 3 30 configuration commands 3 18 configuring on the switch 3 17 switch for RADIUS access 3 15 features 3 4 general setup 3 12 LACP not allowed 3 11 redirect URL 3 9 rules of operation 3 10 show status and configuration 3 26 terminology 3 9 web browser interface for configuring authorized IP managers 10 7 10 9 web browser inte...

Page 318: ...8 Index ...

Page 319: ......

Page 320: ...e without notice Copyright 2008 Hewlett Packard Development Company L P All rights reserved Reproduction adaptation or translation without prior written permission is prohibited except as allowed under the copyright laws June 2008 Manual Part Number 5992 3097 ...

Reviews:

No comments

Related manuals for ProCurve 2510G Series

Brand: H3C Pages: 33

S5500-SI Series

Brand: H3C Pages: 1217

Brand: 3Com Pages: 2443

Brand: H3C Pages: 3

Brand: H3C Pages: 4

InterReach Fusion ADCP-77-044

Brand: TE Connectivity Pages: 236

Brand: Konig Pages: 73

Brand: Delta Electronics Pages: 1

Brand: TRENDnet Pages: 2

IE-SW-VL16-14TX-2SC

Brand: Weidmuller Pages: 17

StorageWorks AIT 35GB AutoLoader

Brand: Compaq Pages: 4

Storage Networking (Unified Fabric Pilot)

Brand: Qlogic Pages: 76

Brand: Asante Pages: 150

Brand: Moxa Technologies Pages: 36

Brand: ACTi Pages: 14

Brand: Tripp Lite Pages: 3

Brand: ZyXEL Communications Pages: 30

Brand: ZyXEL Communications Pages: 12

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands