manualshive.com logo in svg

HP PROCURVE 2910AL, Access Security Manual, Page: 220 / 594

Share
Download
HP PROCURVE 2910AL Access Security Manual Download Page 220

Configuring RADIUS Server Support for Switch Services  

Configuring and Using RADIUS-Assigned Access Control Lists 

RADIUS-assigned ACLs 

Static Port ACLs 

Allows one RADIUS-assigned ACL per authenticated client 
on a port. (Each such ACL filters traffic from a different, 
authenticated client.) 

Note:

 The switch provides ample resources for supporting 

RADIUS-assigned ACLs and other features. However, the 
actual number of ACLs supported  depends on the switch’s 
current feature configuration and the related resource 
requirements. For more information, refer to the appendix 
titled “Monitoring Resources” in the 

Management and 

Configuration Guide

 for your switch. 

Supports only extended ACLs. (Refer to Terminology.) 

A given RADIUS-assigned ACL filters only the IP traffic 
entering the switch from the authenticated client 
corresponding to that ACL, and does not filter IP traffic 
inbound from other authenticated clients.(The traffic source 
is not a configurable setting.) 

A given RADIUS-assigned ACL operates on a port to filter 
only the IP traffic entering the switch from the authenticated 
client corresponding to the ACL, and does not filter IP traffic 
inbound from other authenticated clients. (The traffic 
source is not a configurable setting.) 

ACEs allow a counter (

cnt

) option that causes a counter to 

increment when there is a packet match. 

Supports static ACLs 

Supports standard and extended ACLs 

A static port ACL 

applied on a port filters all traffic entering 

the switch through that port. 

No client authentication requirement. 

ACEs allow a 

log

 option that generates a log message 

whenever there is a packet match with a “deny” ACE. 

Caution Regarding

the Use of Source 

Routing 

Source routing is enabled by default on the switch and can be used to override 
ACLs. For this reason, if you are using ACLs to enhance network security, the 
recommended action is to use the 

no ip source-route 

command to disable 

source routing on the switch. (If source routing is disabled in the running­
config file, the

 show running

 command includes “

no ip source-route

” in the 

running-config file listing.) 

How a RADIUS Server Applies a RADIUS-Assigned 
ACL to a Switch Port 

A RADIUS-assigned ACL configured on a RADIUS server is identified and 
invoked by the unique credentials (username/password pair or a client MAC 
address) of the specific client the ACL is designed to service. Where the 
username/password pair is the selection criteria, the corresponding ACL can 
also be used for a group of clients that all require the same ACL policy and use 

6-14 

Summary of Contents for PROCURVE 2910AL

Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...

Page 2: ......

Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...

Page 4: ...and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLU DING BUT NOT LIMITED TO THE IMPLIED WARRAN TIES OF MERCHANTABILIT...

Page 5: ...tting Started with Access Security 1 10 Physical Security 1 10 Quick Start Using the Management Interface Wizard 1 11 CLI Management Interface Wizard 1 12 Web Management Interface Wizard 1 13 SNMP Security Guidelines 1 16 Precedence of Security Options 1 18 Precedence of Port Based Security Options 1 18 Precedence of Client Based Authentication Dynamic Configuration Arbiter 1 18 Network Immunity M...

Page 6: ...urity Settings that Can Be Saved 2 11 Local Manager and Operator Passwords 2 12 Password Command Options 2 13 SNMP Security Credentials 2 14 802 1X Port Access Credentials 2 15 TACACS Encryption Key Authentication 2 15 RADIUS Shared Secret Key Authentication 2 16 SSH Client Public Key Authentication 2 16 Operating Notes 2 19 Restrictions 2 21 Front Panel Security 2 23 When Security Is Important 2 ...

Page 7: ...ed Authentication 3 8 Terminology 3 10 Operating Rules and Notes 3 11 Setup Procedure for Web MAC Authentication 3 13 Before You Configure Web MAC Authentication 3 13 Configuring the RADIUS Server To Support MAC Authentication 3 15 Configuring the Switch To Access a RADIUS Server 3 16 Configuring Web Authentication 3 18 Overview 3 18 Configuration Commands for Web Authentication 3 19 Show Commands...

Page 8: ...sing the Privilege Mode Option for Login 4 11 Authentication Parameters 4 13 Configuring the TACACS Server for Single Login 4 13 Configuring the Switch s TACACS Server Access 4 18 How Authentication Operates 4 24 General Authentication Process Using a TACACS Server 4 24 Local Authentication Process 4 25 Using the Encryption Key 4 26 General Operation 4 26 Encryption Options in the Switch 4 26 Cont...

Page 9: ...d Viewing the SNMP Access Configuration 5 22 Local Authentication Process 5 24 Controlling Web Browser Interface Access 5 25 Commands Authorization 5 26 Enabling Authorization 5 27 Displaying Authorization Information 5 28 Configuring Commands Authorization on a RADIUS Server 5 28 Using Vendor Specific Attributes VSAs 5 28 Example Configuration on Cisco Secure ACS for MS Windows 5 30 Example Confi...

Page 10: ...iew 6 3 Per Port CoS 802 1p Priority and Rate Limiting 6 4 Applied Rates for RADIUS Assigned Rate Limits 6 5 Configuration Specified by a RADIUS Server 6 6 Configuring and Using RADIUS Assigned Access Control Lists 6 9 Introduction 6 9 Terminology 6 9 Overview of RADIUS Assigned Dynamic ACLs 6 12 Static ACLs 6 13 ACL to a Switch Port 6 14 General ACL Features Planning and Configuration 6 15 The Pa...

Page 11: ...Switch and Client Authentication 7 5 General Operating Rules and Notes 7 7 Configuring the Switch for SSH Operation 7 8 1 Assigning a Local Login Operator and Enable Manager Password 7 8 2 Generating the Switch s Public and Private Key Pair 7 9 Configuring Key Lengths 7 12 3 Providing the Switch s Public Key to Clients 7 12 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior ...

Page 12: ...ficate Generate a Self Signed Host Certificate with the Web Generate a CA Signed server host certificate with the with the CLI 8 9 Comments on Certificate Fields 8 10 browser interface 8 12 Web browser interface 8 15 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior 8 17 Using the CLI Interface to Enable SSL 8 19 Using the Web Browser Interface to Enable SSL 8 19 Common Er...

Page 13: ...ormance 9 24 Security 9 25 Guidelines for Planning the Structure of a Static ACL 9 26 IPv4 ACL Configuration and Operating Rules 9 27 How an ACE Uses a Mask To Screen Packets for Matches 9 28 Masks and the Masks Used with ACLs 9 28 Access Control Entry ACE 9 29 Configuring and Assigning an IPv4 ACL 9 34 Overview 9 34 General Steps for Implementing ACLs 9 34 Options for Permit Deny Policies 9 35 AC...

Page 14: ... 79 Resequencing the ACEs in an ACL 9 80 Attaching a Remark to an ACE 9 81 Operating Notes for Remarks 9 84 Displaying ACL Configuration Data 9 85 Display an ACL Summary 9 86 Display the Content of All ACLs on the Switch 9 87 Display Static Port ACL Assignments 9 88 Displaying the Content of a Specific ACL 9 89 Display All ACLs and Their Assignments in the Routing Switch Startup Config File and Ru...

Page 15: ...tabase 10 11 Operational Notes 10 12 Log Messages 10 13 Dynamic ARP Protection 10 15 Introduction 10 15 Enabling Dynamic ARP Protection 10 17 Configuring Trusted Ports 10 17 Adding an IP to MAC Binding to the DHCP Database 10 19 Configuring Additional Validation Checks on ARP Packets 10 20 Verifying the Configuration of Dynamic ARP Protection 10 20 Displaying ARP Packet Statistics 10 21 Monitoring...

Page 16: ...Source Port Filters 11 9 Static Multicast Filters 11 15 Protocol Filters 11 16 Configuring Traffic Security Filters 11 17 Configuring a Source Port Traffic Filter 11 18 Example of Creating a Source Port Filter 11 19 Configuring a Filter on a Port Trunk 11 19 Editing a Source Port Filter 11 20 Configuring a Multicast or Protocol Traffic Filter 11 21 Filter Indexing 11 22 Displaying Traffic Security...

Page 17: ...12 20 B Specify User Based Authentication or Return to Port Based Authentication 12 21 Example Configuring User Based 802 1X Authentication 12 22 Example Configuring Port Based 802 1X Authentication 12 22 2 Reconfigure Settings for Port Access 12 22 3 Configure the 802 1X Authentication Method 12 26 4 Enter the RADIUS Host IP Address es 12 27 5 Enable 802 1X Authentication on the Switch 12 27 6 Op...

Page 18: ...t 12 66 How RADIUS 802 1X Authentication Affects VLAN Operation 12 67 VLAN Assignment on a Port 12 68 Operating Notes 12 68 Example of Untagged VLAN Assignment in a RADIUS Based Authentication Session 12 70 Enabling the Use of GVRP Learned Dynamic VLANs in Authentication Sessions 12 73 Messages Related to 802 1X Operation 12 75 Configuring and Monitoring Port Security Contents 13 1 Overview 13 3 P...

Page 19: ...ntrusions Listing Intrusion Alerts and Resetting Alert Flags 13 37 Using the Event Log To Find Intrusion Alerts Web Checking for Intrusions Listing Intrusion 13 39 Alerts and Resetting Alert Flags 13 40 Operating Notes for Port Security 13 41 14 Using Authorized IP Managers Contents 14 1 Overview 14 2 Options 14 3 Access Levels 14 3 Defining Authorized Management Stations 14 3 Overview of IP Mask ...

Page 20: ...le Stations Per Authorized Manager IP Entry 14 10 Additional Examples for Authorizing Multiple Stations 14 12 Operating Notes 14 13 15 Key Management System Contents 15 1 Overview 15 2 Terminology 15 2 Configuring Key Chain Management 15 3 Creating and Deleting Key Chain Entries 15 3 Assigning a Time Independent Key to a Chain 15 4 Assigning Time Dependent Keys to a Chain 15 5 Index xviii ...

Page 21: ...cations The latest version of each of the publications listed below is available in PDF format on the ProCurve Web site as described in the Note at the top of this page Installation and Getting Started Guide Explains how to prepare for and perform the physical installation and connect the switch to your network Management and Configuration Guide Describes how to configure manage and monitor basic ...

Page 22: ...r to the IPv6 Configuration Guide Intelligent Edge Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide 802 1Q VLAN Tagging X 802 1X Port Based Priority X 802 1X Multiple Authenticated Clients Per Port X Access Control Lists ACLs X AAA Authentication X Authorized IP Managers X Authorized Manager List Web Telnet TFTP X Auto MD...

Page 23: ...ion Dynamic Configuration Arbiter Eavesdrop Protection Event Log X X X X Factory Default Settings Flow Control 802 3x File Management File Transfers X X X X Friendly Port Names Guaranteed Minimum Bandwidth GMB GVRP Identity Driven Management IDM X X X X IGMP Interface Access Telnet Console Serial Web IP Addressing IP Routing X X X X Jumbo Packets LACP Link LLDP X X X X LLDP MED Loop Protection MAC...

Page 24: ...uration Files Network Management Applications SNMP OpenView Device Management X X X X X X X X Passwords and Password Clear Protection ProCurve Manager PCM Ping Port Configuration X X X X Port Monitoring Port Security Port Status Port Trunking LACP X X X X Port Based Access Control 802 1X Power over Ethernet PoE Protocol Filters Protocol VLANS X X X X Quality of Service QoS RADIUS Authentication an...

Page 25: ...ads SCP SFTP TFPT Xmodem Source Port Filters Spanning Tree STP RSTP MSTP SSHv2 Secure Shell Encryption X X X X SSL Secure Socket Layer Stack Management 3500yl 6200yl switches only Syslog System Information X X X X TACACS Authentication Telnet Access TFTP Time Protocols TimeP SNTP X X X X Traffic Mirroring Traffic Security Filters Troubleshooting Uni Directional Link Detection UDLD X X X X UDP Forw...

Page 26: ...tware Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide Voice VLAN Web Authentication RADIUS Support Web based Authentication Web UI Xmodem X X X X X xxiv ...

Page 27: ...10 Quick Start Using the Management Interface Wizard 1 11 CLI Management Interface Wizard 1 12 Web Management Interface Wizard 1 13 SNMP Security Guidelines 1 16 Precedence of Security Options 1 18 Precedence of Port Based Security Options 1 18 Precedence of Client Based Authentication Dynamic Configuration Arbiter 1 18 Network Immunity Manager 1 19 Arbitrating Client Specific Attributes 1 20 ProC...

Page 28: ...ovides guidelines on how to prepare the switch for secure network operation About This Guide This Access Security Guide describes how to configure security features on your switch Not e For an introduction to the standard conventions used in this guide refer to the Getting Started chapter in the Management and Configuration Guide for your switch For More Information For IPv6 specific security sett...

Page 29: ...zard on page 1 11 for details Table 1 1 Access Security and Switch Authentication Features Feature Default Setting Security Guidelines More Information and Configuration Details Manager no password ConfiguringalocalManagerpasswordisafundamental password step in reducing the possibility of unauthorized access through the switch s Web browser and console CLI and Menu interfaces TheManagerpasswordcan...

Page 30: ... more on Telnet and web browser access refer to the chapter on Interface Access and System Information in the Management and Configuration Guide For RADIUS accounting refer to Chapter 6 RADIUS Authentication and Accounting SSH disabled SSH provides Telnet like functions through encrypted Quick Start Using the authenticated transactions of the following types Management Interface client public key ...

Page 31: ... to determine Chapter 15 Using Managers whether to allow management access to the switch Authorized IP Managers across the network through the following Telnet and other terminal emulation applications The switch s Web browser interface SNMP with a correct community name Secure Management VLAN disabled This feature creates an isolated network for managing the ProCurve switches that offer this feat...

Page 32: ...le client to open the port switch operation as a supplicant for point to point connections to other 802 1X compliant ProCurve switches Web and MAC none These options are designed for application on the edge Chapter 4 Web and MAC Authentication of a network to provide port based security measures Authentication for protecting private networks and the switch itself from unauthorized access Because n...

Page 33: ...osis and automated updates to the switch via the USB flash drive When enabled in secure mode this is done with secure credentials to prevent tampering Note that the USB Autorun feature is disabled automatically once a password has been set on the switch Management and Configuration Guide Appendix A File Transfers refer to the section USB Autorun Traffic Security none These statically configured fi...

Page 34: ... device authentication or protection from malicious manipulation of data carried in IP packet transmissions they should not be relied upon for a complete security solution Port Security none The features listed below provide device based access Chapter13 Configuringand MACLockdown security in the following ways Monitoring Port Security and MAC Port security Enables configuration of each switch Loc...

Page 35: ...raffic Protection attacks or configuration errors Management Guide refer to BPDU Filtering and BPDU Protection Protects the the chapter Multiple network from denial of service attacks that use Instance Spanning Tree spoofing BPDUs by dropping incoming BPDU frames Operation and or blocking traffic through a port STP Root Guard Protects the STP root bridge from malicious attacks or configuration mis...

Page 36: ...ess vulnerability existing in your network and take steps to ensure that all reasonable security precautions are in place This includes both configurable security options and physical access to the switch Switch management access is available through the following methods Front panel access to the console serial port see Physical Security Inbound Telnet access Web browser access SNMP access For gu...

Page 37: ...fer Files to and from the Switch and Using USB Autorun in the Management and Configuration Guide Appendix A File Transfers Quick Start Using the Management Interface Wizard The Management Interface wizard provides a convenient step by step method to prepare the switch for secure network operation It guides you through the process of locking down the following switch operations or protocols setting...

Page 38: ... password Confirm password Restrict SNMP access to SNMPv3 only no SNMPv2 community name notpublic SNMPv2 Community access level unrestricted Telnet enabled yes SSH enabled no Web management enabled yes Restrict Web access to SSL no Timeout for ssh telnet sessions 0 Operator password Manager password Restrict SNMP access to SNMPv3 only no SNMPv2 community name notpublic SNMPv2 Community access leve...

Page 39: ...rompt CLI Wizard Operating Notes and Restrictions Once a password has been configured on the switch you cannot remove it using the CLI wizard Passwords can be removed by executing the no password command directly from the CLI When you restrict SNMP access to SNMPv3 only the options SNMPv2 community name and access level will not appear The wizard displays the first available SNMPv2 community and a...

Page 40: ... lost if you click on the Web browser s navigation tabs Click OK to close the alert and then advance through the following setup pages Operator Password Manager Password SNMP Telnet SSH Web Management GUI USB Autorun Timeout see pages for details and setup options At each page you have the following options Enter a new value and or make a new selection or click Continue to keep the current value a...

Page 41: ...pply To quit the Setup screen without saving any changes click Exit To return to the previous screen click Back Web Wizard Operating Notes and Restrictions If you click on the Web interface s navigation tab during setup all configuration changes will be lost If an Operator or Manager password has been configured on the switch the enable USB Autorun option is not available When you restrict SNMP ac...

Page 42: ...s include configuring device communities as a means for excluding management access by unauthorized stations configuring for access authentication and privacy reporting events to the switch CLI and to SNMP trap receivers restricting non SNMPv3 agents to either read only access or no access co existing with SNMPv1 and v2c if necessary SNMP Access to the Authentication Configuration MIB A management...

Page 43: ...e authentication configuration MIB accessible then you should do the following to help ensure that unauthorized work stations cannot use SNMP tools to access the MIB a Configure SNMP version 3 management and access security on the switch b Disable SNMP version 2c on the switch For details on this feature refer to the section titled Using SNMP To View and Configure Switch Authentication Features on...

Page 44: ...rt 1 Disabled Enabled physical port 2 MAC lockout Applies to all ports on the switch 3 MAC lockdown 4 Port security 5 Authorized IP Managers 6 Application features at higher levels in the OSI model such as SSH The above list does not address the mutually exclusive relationship that exists among some security features Precedence of Client Based Authentication Dynamic Configuration Arbiter The Dynam...

Page 45: ...he assignment of attributes on both authenticated and non authenticated ports DCA does not support the arbitration and assignment of client specific attributes on trunk ports Network Immunity Manager Network Immunity Manager NIM is a plug in to ProCurve Manager PCM and a key component of the ProCurve Network Immunity security solution that provides comprehensive detection and per port response to ...

Page 46: ...figure an untagged VLAN for use in an authenticated or unauthenticated client session Note that the attribute profile assigned to a client is often a combination of NIM configured RADIUS assigned and statically configured settings Precedence is always given to the temporarily applied NIM configured parameters over RADIUS assigned and locally configured parameters For information on Network Immunit...

Page 47: ...ing on which are next in the hierarchy of precedence In addition DCA supports conflict resolution for QoS port based CoS priority and rate limiting ingress by determining whether to configure either strict or non strict resolution on a switch wide basis For example if multiple clients authenticate on a port and a rate limiting assignment by a newly authenticating client conflicts with the rate lim...

Page 48: ...ts to the network This operation enables the network to approve or deny access at the edge of the network instead of in the core distinguish among different users and what each is authorized to do configure guest access without compromising internal security Criteria for enforcing RADIUS based security for IDM applications includes classifiers such as authorized user identity authorized device ide...

Page 49: ...curity Credentials 2 11 Security Settings that Can Be Saved 2 11 Local Manager and Operator Passwords 2 12 Password Command Options 2 13 SNMP Security Credentials 2 14 802 1X Port Access Credentials 2 15 TACACS Encryption Key Authentication 2 15 RADIUS Shared Secret Key Authentication 2 16 SSH Client Public Key Authentication 2 16 Operating Notes 2 19 Restrictions 2 21 Front Panel Security 2 23 Wh...

Page 50: ... Switch s Front Panel 2 29 Re Enabling the Clear Button on the Switch s Front Panel and Setting or Changing the Reset On Clear Operation 2 30 Changing the Operation of the Reset Clear Combination 2 31 Password Recovery 2 32 Disabling or Re Enabling the Password Recovery Process 2 32 Password Recovery Process 2 34 2 2 ...

Page 51: ... Manager and Operator For security you can set a password pair username and password on each of these levels Not e s Usernames are optional Also in the menu interface you can configure passwords but not usernames To configure usernames use the CLI or the web browser interface Usernames and passwords for Manager and Operator access can also be configured using SNMP For more information refer to Usi...

Page 52: ...swordpair andanOperatorpasswordpair ifapplicable for your system 2 Exit from the current console session A Manager password pair will now be needed for full access to the console If you do steps 1 and 2 above then the next time a console session is started for either the menu interface or the CLI a prompt appears for a password Assuming you have protected both the Manager and Operator levels the l...

Page 53: ...low management access for that session Passwords are case sensitive When configuring an operator or manager password a message will appear indicating that USB autorun has been disabled For more information on the autorun feature refer to the Appendix A on File Transfers in the Manage ment and Configuration Guide for your switch C a u t i o n If the switch has neither a Manager nor an Operator pass...

Page 54: ... Select Set Manager Password or Set Operator Password You will then be prompted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new console session you will ...

Page 55: ...Level access 1 Enter the console at the Manager level 2 Go to the Set Passwords screen as described above 3 Select Delete Password Protection You will then see the following prompt Continue Deletion of password protection No 4 Press the Space bar to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot start a con s...

Page 56: ...iguring Manager and Operator Passwords To Remove Password Protection Removing password protection means to eliminate password security This command prompts you to verify that you want to remove one or both passwords then clears the indicated password s This command also clears the username associated with a password you are removing For example to remove the Operator password and username if assig...

Page 57: ...ace 1 Click on the Security tab Click on Device Passwords 2 Do one of the following To set username and password protection enter the usernames and passwords you want in the appropriate fields To remove username and password protection leave the fields blank 3 Implement the usernames and passwords by clicking on Apply Changes SNMP Setting Passwords and Usernames Usernames and passwords for Manager...

Page 58: ... authentication sessions with TACACS servers RADIUS shared secret encryption keys used to encrypt packets and secure authentication sessions with RADIUS servers Secure Shell SSH public keys used to authenticate SSH clients that try to connect to the switch Benefits of Saving Security Credentials The benefits of including and saving security credentials in a configuration file are as follows Afterm...

Page 59: ...enticator port access security credentials and SSH client public keys in the running configuration Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running config file To view the currently configured security settings in the running configuration enter one of the following commands show running...

Page 60: ... is an alphanumeric string for the user name assigned to the manager or operator hash type indicates the type of hash algorithm used SHA 1 or plain text pass hash is the SHA 1 authentication protocol s hash of the pass word or clear ASCII text For example a manager username and password may be stored in a running config file as follows password manager user name George SHA1 2fd4e1c67a2d28fced849ee...

Page 61: ...password the clear ASCII text string or SHA 1 hash of the password You can enter a manager operator or 802 1X port access password in clear ASCII text or hashed format However manager and operator passwords are displayed and saved in a configuration file only in hashed format port access passwords are displayed and saved only as plain ASCII text After you enter the complete command syntax the pass...

Page 62: ...tocol to encrypt SNMPv3 messages between the switch and the station The following example shows the additional security credentials for SNMPv3 users that can be saved in a running config file snmpv3 user boris auth md5 9e4cfef901f21cf9d21079debeca453 priv 82ca4dc99e782db1a1e914f5d8f16824 snmpv3 user alan auth sha 8db06202b8f293e9bc0c00ac98cf91099708ecdf priv 5bc4313e9fd7c2953aaea9406764fe8bb629a53...

Page 63: ...y from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch For information on the new password command syntax see Password Command Options on page 2 13 After you enter the complete password port access command syntax the password is set You are not prompted to enter the password a second time TACACS Enc...

Page 64: ...across the network For more information refer to 3 Configure the Switch To Access a RADIUS Server on page 5 15 in this guide RADIUS shared secret encryption keys can be saved in a configuration file by entering this command ProCurve config radius server key keystring The option keystring is the encryption key in clear text used for secure communication with all or a specific RADIUS server SSH Clie...

Page 65: ...or the public key must be a single quoted token If the keystring contains double quotes it can be quoted with single quotes keystring The following restrictions for a keystring apply A keystring cannot contain both single and double quotes A keystring cannot have extra characters such as a blank space or a new line However to improve readability you can add a backlash at the end of each line Not e...

Page 66: ...cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7 1kVOdS G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK piG Q1el1w9zsMaxPA1XJzSY imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf LdQ2kqZjUuIyV9 LWyLg5ybS1kFLeOt0oo2Jbpy U2e4jh2Bb77sX3G5C0 spock sfc gov ip ssh public key manager ssh rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R JRs1Eov6y1RK3XkmgVatzl mspiEmPS4wNK7bX IoXNdGrGkoE8tPkxlZOZ oqGCf5Zs50P1n...

Page 67: ...tch boots up The configuration of all security credentials requires that you use the write memory command to save them in the startup configuration in order for them to not be lost when you log off A warning message reminds you to permanently save a security setting After you enter theinclude credentials command the currently configured manager and operator usernames and passwords RADIUS shared se...

Page 68: ...guration files Each configuration filecontainsitsownsecuritycredentialsandthesesecurityconfigurations may differ It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image and that all security credentials in the file are supported If you have already enabled the storage of...

Page 69: ...he file with the current software version the SNMPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file To display the engine ID of a switch enter the show snmpv3 engine id command To configure authentication and privacy passwords for SNMPv3 users enter the snmpv3 use...

Page 70: ...using the include credentials command Note that the password port access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch For more information about how to use the password port access command to configure operator passwords and usernames for 802 1X authentica tion see DoTheseSteps...

Page 71: ...urance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records must be secure It used to be assumed that only system and network administrators would be able to get access to a network switch because switches were typically placed in secure locations under lock and key For some customers this is no longer true Others simply want...

Page 72: ...eset buttons on the front of the switch Front Panel Button Functions The System Support Module SSM of the switch includes the System Reset button and the Clear button Figure 2 6 Front Panel Reset and Clear Buttons Clear Button Pressing the Clear button alone for one second resets the password s con figured on the switch Reset Clear Figure 2 7 Press the Clear Button for One Second To Reset the Pass...

Page 73: ... the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button Reset Clear 2 While holding the Reset button press and hold the Clear button Reset Clear 3 Release the Reset button 2 25 ...

Page 74: ...text in the CLI you can Disable or re enable the password clearing function of the Clear button Disabling the Clear button means that pressing it does not remove local password protection from the switch This action affects the Clear button when used alone but does not affect the operation of the Reset Clear combination described under Restor ing the Factory Default Configuration on page 2 25 Conf...

Page 75: ...abled then pressing the Clear button erases the local usernames and passwords from the switch When reset on clear is enabled pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch Enabling reset on clear automatically enables clear password Default Disabled Note If you have stored security credentials including the local manager and operator usern...

Page 76: ...ling this option is an extreme measure and is not recommended unless you have the most urgent need for high security If you disable password recovery and then lose the password you will have to use the Reset and Clear buttons page 2 25 to reset the switch to its factory default configuration and create a new password For example show front panel security produces the following output when the swit...

Page 77: ...oes not erase passwords when disabled you can still use it with the Reset button Reset Clear to restore the switch to its factory default configuration as described under Restoring the Factory Default Configuration on page 2 25 This command displays a Caution message in the CLI If you want to proceed with disabling the Clear button type Y otherwise type N For example Indicates the command has disa...

Page 78: ...disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password clear Note If you disable password clear and also disable the password recovery option you can still recover from a lost password by using the Reset Cle...

Page 79: ...n combination to replace the switch s current configu ration with the factory default configuration and render the switch acces sible without the need to input a username or password You can use the factory reset command to prevent the Reset Clear combination from being used for this purpose Syntax no front panel security factory reset Disables or re enables the following functions associated with...

Page 80: ...witch without resetting the switch to its factory default configuration in the event that the system administrator loses the local manager username if configured or password Using Pass word Recovery requires password recovery enabled the default on the switch prior to an attempt to recover from a lost username password situation Contacting your ProCurve Customer Care Center to acquire a one time u...

Page 81: ...switch allows management access through the password recovery process described below This provides a method for recovering from a lost manager username if configured and password When this feature is disabled the password recovery process is disabled and the only way to regain management access to the switch is to use the Reset Clear button combination page 2 25 to restore the switch to its facto...

Page 82: ...cover from a lost manager username password pair is to use the Reset Clear button combination described under Restoring the Factory Default Configuration on page 2 25 This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured To use the password recovery option to re...

Page 83: ...r is valid only for a single login attempt You cannot use the same one time use password if you lose the password a second time Because the password algorithm is randomized based upon your switch s MAC address the pass word will change as soon as you use the one time use password provided to you by the ProCurve Customer Care Center 2 35 ...

Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...

Page 85: ... Rules and Notes 3 11 Setup Procedure for Web MAC Authentication 3 13 Before You Configure Web MAC Authentication 3 13 Configuring the RADIUS Server To Support MAC Authentication 3 15 Configuring the Switch To Access a RADIUS Server 3 16 Configuring Web Authentication 3 18 Overview 3 18 Configuration Commands for Web Authentication 3 19 Show Commands for Web Authentication 3 26 Configuring MAC Aut...

Page 86: ...ation methods rely on a RADIUS server to authenticate network access This simplifies access security management by allowing you to control access from a master database in a single server You can use up to three RADIUS servers to provide backups in case access to the primary server fails It also means the same credentials can be used for authentication regardless of which switch or switch port is ...

Page 87: ...ice configuration or a logon session MAC authentication is well suited for clients that are not capable of providing interactive logons such as telephones printers and wireless access points Also because most RADIUS servers allow for authentication to depend on the source switch and port through which the client connects to the network you can use MAC Auth to lock a particular device to a specific...

Page 88: ...f Web authentication should complete first MAC authentication will cease even though it is possible that MAC authentication could succeed There is no guarantee that MAC authentication ends before Web authentica tion begins for the client Concurrent Web and MAC authentication is backward compatible with all existing user configurations Authorized and Unauthorized Client VLANs Web Auth and MAC Auth ...

Page 89: ...ured A RADIUS assigned VLAN has priority over switch port membership in any VLAN Wireless Clients You can allow wireless clients to move between switch ports under Web MAC Authentication control Clients may move from one Web authorized port to another or from one MAC authorized port to another This capability allows wireless clients to move from one access point to another without having to reauth...

Page 90: ...mporary IP address pool to be used by DHCP by configuring the dhcp addr and dhcp lease options when you enable web authentication with the aaa port access web based command The Secure Socket Layer SSLv3 TLSv1 feature provides remote web access to the network via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL TLS If you have enabled S...

Page 91: ...r 2 above apply but the port is an untagged member of a statically configured port based VLAN then the port remains in this VLAN 4 If neither 1 2 or 3 above apply then the client session does not have access to any statically configured untagged VLANs and client access is blocked The assigned port VLAN remains in place until the session ends Clients may be forced to reauthenticate after a fixed pe...

Page 92: ...the unauth vid are dropped from the port MAC based Authentication When a client connects to a MAC Auth enabled port traffic is blocked The switch immediately submits the client s MAC address in the format specified by the addr format as its certification credentials to the RADIUS server for authentication If the client is authenticated and the maximum number of MAC addresses allowed on the port ad...

Page 93: ...s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid credentials or a RADIUS server timeout The server timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out The max requests parameter specifies how many authentication attempts may result in a RADIUS ...

Page 94: ...username and password before being allowed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified web page presented to an authorized client following Web Au...

Page 95: ...not enabled on the port For example be sure that Port Security is disabled on a port before configuring the port for Web or MAC Authentication If Port Security is enabled on the port this misconfiguration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments in your RADIUS server or consider using either A...

Page 96: ...figure one or both of these options any services you want clients in either category to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port In this case if there is a successful request for aut...

Page 97: ...tion on those ports For more information see Loop Protection in the chapter titled Multiple Instance Spanning Tree Opera tion in the Advanced Traffic Management Guide Setup Procedure for Web MAC Authentication Before You Configure Web MAC Authentication 1 Configure a local username and password on the switch for both the Operator login and Manager enable access levels While this is not required fo...

Page 98: ... for authenticated clients a If you configure the RADIUS server to assign a VLAN for an authen ticated client this assignment overrides any VLAN assignments con figured on the switch while the authenticated client session remains active Note that the VLAN must be statically configured on the switch b IfthereisnoRADIUS assignedVLAN theportcanjoinan Authorized VLAN forthedurationoftheclientsession i...

Page 99: ...owing If you are configuring Web based authentication include the user name and password for each authorized client If you are configuring MAC based authentication enter the device MAC address in both the username and password fields of the RADIUS policy configuration for that device Also if you want to allow a particular device to receive authentication only through a designated port and switch i...

Page 100: ...figured in the switch Thus for a given switch the MAC address is the same for all VLANs configured on the switch Refer to the chapter titled Static Virtual LANs VLANs in the Advanced Traffic Management Guide for your switch Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius server host ip address below key global key string below radius server host ip addr...

Page 101: ...s configured in the switch include a server specific encryption key Default Null Syntax radius server host ip address key server specific key string no radius server host ip address key Optional Specifies an encryption key for use during authentication or accounting sessions with the speci fied server This key must match the encryption key used on the RADIUS server Use this command only if the spe...

Page 102: ... server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Optional To use SSL encryption for web authentication login configure and enable SSL on the switch 7 Enable web authentication on the switch ports you want to use 8 Configure the optional settings that you want to use for web authentica t...

Page 103: ...t list controlled directions both in 3 20 no aaa port access web based port list 3 22 auth vid 3 22 clear statistics 3 22 client limit 3 22 client moves 3 23 dhcp addr 3 23 dhcp lease 3 23 logoff period 3 23 max requests 3 23 max retries 3 24 quiet period 3 24 reauth period 3 24 reauthenticate 3 24 redirect url 3 25 server timeout 3 25 unauth vid 3 36 3 19 ...

Page 104: ...for web authentication before authentication occurs Out going traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication Prerequisites As implemented in 802 1X authentica tion the disabling of incoming traffic and transmis sion of outgoing traffic on a web authenticated egress port in an unauthenticated state using the aaa port access controlle...

Page 105: ...ke on LAN feature is used by network administrators to remotely power on a sleeping workstation for example during early morning hours to perform routine maintenance operations such as patch management and software updates Using the aaa port access controlled directions in command you can enable the transmission of Wake on LAN traffic on unauthenticated egress ports that are configured for any of ...

Page 106: ...h vid is 0 no VLAN changes occur unless the RADIUS server supplies one Use the no form of the command to set the auth vid to 0 Default 0 aaa port access web based clear statistics Clears resets to 0 all counters used to monitor the HTTP and Web Auth control traffic generated in web authentication session To display Web Auth traffic statistics enter the show port access web based statis tics comman...

Page 107: ...ss web based dhcp lease 5 25 Specifies the lease length in seconds of the temporary IP address issued for Web Auth login purposes Default 10 seconds Syntax aaa port access web based port list logoff period 60 9999999 Specifies the period in seconds that the switch enforces for an implicit logoff This parameter is equivalent to the MAC age interval in a traditional switch sense If the switch does n...

Page 108: ...s web based port list quiet period 1 65535 Specifies the time period in seconds the switch uses before sending an authentication request for a client that failed authentication Default 60 seconds Syntax aaa port access web based port list reauth period 0 9999999 Specifies the time period in seconds the switch enforces on a client to re authenticate When set to 0 reauthentication is disabled Defaul...

Page 109: ...RL when using Web Authentica tion Note The redirect url command accepts only the first 103 characters of the allowed 127 characters Use the no form of the command to remove a specified redirect URL Default There is no default URL Browser behavior for authenticated clients may not be acceptable Syntax aaa port access web based e port list server timeout 1 300 Specifies the period in seconds the swi...

Page 110: ...port includes Number of authorized and unauthorized clients VLAN ID number of the untagged VLAN used If the switch supports MAC based untagged VLANs MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions If tagged VLANs statically configured or RADIUS assigned are used Yes or No If client specific per port CoS Class of Service values are configured Ye...

Page 111: ...e learned through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If a web authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table n a no info is displayed ProCurve config show port access web based cli...

Page 112: ...imit 100 Tagged VLANs 1 3 5 6 334 2566 RADIUS ACL List deny in udp from any to 10 2 8 233 CNT Hit Count 0 permit in udp from any to 10 2 8 233 CNT Hit Count 0 deny in tcp from any to 10 2 8 233 CNT Hit Count 0 permit in tcp from any to 10 2 8 233 CNT Hit Count 0 permit in tcp from any to 0 0 0 0 0 CNT Hit Count 0 Figure 3 8 Example of show port access web based clients detailed Command Output Synt...

Page 113: ...zed and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0 the default VLAN ID is used unless overridden by a RADIUS assigned value ProCurve config show port access web based config Port Access Web Based Configuration DHCP Base Address 192 168 0 0 DHCP Subnet Mask 255 255 255 0 DHCP Lease Length 10 Allow RADIUS assigned dynamic GVRP VLANs No No Client Client Logoff Re Auth ...

Page 114: ...ified ports ProCurve config show port access web based config 1 detailed Port Access Web Based Detailed Configuration Port 1 Web based enabled Yes Client Limit 1 Client Moves No Logoff Period 300 Re Auth Period 0 Unauth VLAN ID 0 Auth VLAN ID 0 Max Requests 3 Quiet Period 60 Server Timeout 30 Max Retries 3 SSL Enabled No Redirect URL Figure 3 10 Example of show port access web based config detail ...

Page 115: ...on login attempts ProCurve config show port access web based config auth server Port Access Web Based Configuration Client Client Logoff Re Auth Max Quiet Server Port Enabled Limit Moves Period Period Req Period Timeout 1 Yes 1 No 300 0 3 60 30 2 No 1 No 300 0 3 60 30 Figure 3 11 Example of show port access web based config auth server Command Output Syntax show port access web based config port l...

Page 116: ...ignments have been made 3 Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC Auth on the switch 4 Configure the switch with the correct IP address and encryption key to access the RADIUS server 5 Configure the switch for MAC Auth a Configure MAC Authentication on the switch ports you want to use 6...

Page 117: ... colon no delimiter uppercase single dash uppercase multi dash uppercase multi colon uppercase Specifies the MAC address format to be used in the RADIUS request message This format must match the format used to store the MAC addresses in the RADIUS server Default no delimiter no delimiter specifies an aabbccddeeff format single dash specifies an aabbcc ddeeff format multi dash specifies an aa bb c...

Page 118: ... moves between the specified ports under MAC Auth control When enabled the switch allows addresses to move without requiring a re authentica tion When disabled the switch does not allow moves and when one does occur the user will be forced to re authenticate At least two ports from port s and to port s must be specified Use the no form of the command to disable MAC address moves between ports unde...

Page 119: ...5 Specifies the time period in seconds that the switch waits before processing an authentication request from a MAC address that failed authentication Default 60 seconds Syntax aaaport accessmac based e port list reauth period 0 9999999 Specifies the time period in seconds that the switch enforces on a client to re authenticate The client remains authenticated while the reauthentication occurs Whe...

Page 120: ...plays the status of all ports or specified ports that are enabled for MAC authentication The information displayed for each port includes Number of authorized and unauthorized clients VLAN ID number of the untagged VLAN used If the switch supports MAC based untagged VLANs MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions If tagged VLANs staticall...

Page 121: ...ed is taken from the DHCP binding table learned through the DHCP Snooping feature If DHCP snooping is not enabled on the switch n a not available is displayed for a client s IP address If a MAC authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table n a no info is displayed ProCurve...

Page 122: ...ssion Status authenticated Session Time sec 6 Username client1 MAC Address 0010b5 891a9e IP n a Access Policy Details COS Map 12345678 In Limit 98 Untagged VLAN 4006 Out Limit 100 Tagged VLANs 1 3 5 6 334 4001 RADIUS ACL List deny in udp from any to 10 2 8 233 CNT Hit Count 0 permit in udp from any to 10 2 8 233 CNT Hit Count 0 deny in tcp from any to 10 2 8 233 CNT Hit Count 0 permit in tcp from ...

Page 123: ...on egress ports Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0 the default VLAN ID is used unless overridden by a RADIUS assigned value ProCurve config show port access mac based config Port Access MAC Based Configuration MAC Address Format no delimiter Allow RADIUS assigned dynamic GVRP VLANs No No Client Client Logoff Re Auth Unauth Auth Cntrl Port Enab...

Page 124: ...entication settings for specified ports ProCurve config show port access mac based config 1 detailed Port Access MAC Based Detailed Configuration Port 1 Web based enabled Yes Client Limit 1 Client Moves No Logoff Period 300 Re Auth Period 0 Unauth VLAN ID 0 Auth VLAN ID 0 Max Requests 3 Quiet Period 60 Server Timeout 30 Figure 3 16 Example of show port access mac based config detail Command Output...

Page 125: ... period Numberoftimeoutssupported before authenticationlogin fails Length of time quiet period supported between authentication login attempts ProCurve config show port access mac based config auth server Port Access MAC Based Configuration Client Client Logoff Re Auth Max Quiet Server Port Enabled Limit Moves Period Period Req Period Timeout 1 No 1 No 300 0 3 60 30 2 No 1 No 300 0 3 60 30 3 Yes 1...

Page 126: ...lties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan UnauthorizedVLANonly 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applied to the port An author...

Page 127: ...0 Configuring the Switch s Authentication Methods 4 11 Using the Privilege Mode Option for Login 4 11 Authentication Parameters 4 13 Configuring the TACACS Server for Single Login 4 13 Configuring the Switch s TACACS Server Access 4 18 How Authentication Operates 4 24 General Authentication Process Using a TACACS Server 4 24 Local Authentication Process 4 25 Using the Encryption Key 4 26 General O...

Page 128: ...figured for TACACS Operation Terminal A Directly Accessing the Switch Via Switch s Console Port Terminal B Remotely Accessing The Switch Via Telnet A Primary TACACS Server The switch passes the login requestsfromterminalsAandB to the TACACS server for authentication The TACACS server determines whether to allow access to the switch and what privilege level to allow for a given access request Acces...

Page 129: ... in this guide and any other TACACS capable devices in your network you must purchase install and configure a TACACS server application on a networked server or management station in the network The TACACS server application you install will provide various options for access control and access notifications For more on the TACACS services available to you see the documentation provided with the T...

Page 130: ...l or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central server and to do so with more options than you have when using only local authentication You will still need to use local authentication as a backup if your TACACS servers become unavailable This means for example that you can use a central TACACS se...

Page 131: ...ion This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect web browser interface access Refer to Controlling Web Browser Interface Access When Using TACACS Authentication on page 4 27 General Authentication Setup Procedure It is important to test the TACACS service before fully implementing it Depending on t...

Page 132: ...word pair global key or a server specific key administered by the TACACS depending on the encryption server for controlling access to the configuration in the TACACS switch server s The username password pairs you The number of log in attempts you want to use for local authentication will allow before closing a log in one pair each for Operator and session Default 3 Manager levels 3 Plan and enter...

Page 133: ...sole for access if the configuration for the Telnet method needs debugging 6 Ensure that the switch is configured to operate on your network and can communicate with your first choice TACACS server At a minimum this requires IP addressing and a successful ping test from the switch to the server 7 On a remote terminal device use Telnet to attempt to access the switch If the attempt fails use the co...

Page 134: ...cedure on page 4 5 and configure your TACACS server s before configuring authentication on the switch The switch offers three command areas for TACACS operation show authentication and show tacacs Displays the switch s TACACS configuration and status aaa authentication A command for configuring the switch s authentication methods tacacs server A command for configuring the switch s contact with TA...

Page 135: ...thentication Configuration This command lists the number of login attempts the switch allows in a single login session and the primary secondary access methods configured for each type of access Syntax show authentication This example shows the default authentication configuration Configuration for login and enable access to the switch through the switch console port Configuration for login and en...

Page 136: ...CS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following First Choice TACACS Server Second Choice TACACS Server Third Choice TACACS Server Figure 4 3 Example of the Switch s TAC...

Page 137: ...n for Login When using TACACS to control user access to the switch you must first login with your username at the Operator privilege level using the password for Operator privileges and then login again with the same username but using the Manger password to obtain Manager privileges You can avoid this double login process by entering the privilege mode option with the aaa authentication login com...

Page 138: ...ed to the switch by the TACACS server Default Single login disabled local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS server radius Authenticates with a password and other data configured on a RADIUS server local none If the primary...

Page 139: ... Specifies the secondary backup type of authentication being or configured none local Theusername passwordpairconfiguredlocallyintheswitch for the privilege level being configured none No secondary type of authentication for the specified method privilege path Available only if the primary method of authentication for the access being configured is local Note If you do not specify this parameter i...

Page 140: ...privilege level is the only level that will allow Manager level access on the switch Figure 4 4 Advanced TACACS Settings Section of the TACACS Server User Setup Then scroll down to the section that begins with Shell See Figure 4 5 Check the Shell box Check the Privilege level box and set the privilege level to 15 to allow root privileges This allows you to use the single login option 4 14 ...

Page 141: ...r User Setup As shown in the next table login and enable access is always available locally through a direct terminal connection to the switch s console port However for Telnet access you can configure TACACS to deny access if a TACACS server goes down or otherwise becomes unavailable to the switch 4 15 ...

Page 142: ...ng local authentication which uses passwords configured in the switch instead of in a TACACS server the switch grants read only access if you enter the Operator password and read write access if you enter the Manager password For example if you configure authentication on the switch with Telnet Login Primary as Local and Telnet Enable Primary as Tacacs when you attempt to Telnet to the switch you ...

Page 143: ...sing TACACS server Secondary using Local ProCurve config aaa authentication console enable tacacs local Telnet Login Operator or Read Only Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication Telnet login tacacs local Telnet Enable Manager or Read Write Access Primary using TACACS server Secondary using Local ProCurve config aaa authentication telnet enable t...

Page 144: ...seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the switch still fails to receive a response from any TACACS server it reverts to whatever secondary authentication method was configured ...

Page 145: ...ys configured in TACACS servers the switch will attempt to use for authentication If you configure a global encryption key the switch uses it only with servers for which you have not also configured a server specific key Thus a global key is more useful where the TACACS servers you are using all have an identical key and server specific keys are necessary where different TACACS servers have differ...

Page 146: ...already configured entering another server IP address makes that server the second choice backup TACACS server 3 When there are two TACACS servers already configured entering another server IP address makes that server the third choice backup TACACS server The above position assignments are fixed Thus if you remove one server and replace it with another the new server assumes the priority position...

Page 147: ...does not detect a response within the timeout period it initiates a new request to the next TACACS server in the list If all TACACS servers in the list fail to respond within the timeout period the switch uses either local authentication if configured or denies access if none configured for local authentication Adding Removing or Changing the Priority of a TACACS Server Suppose that the switch was...

Page 148: ... key then the authentication attempt will fail Use a global encryption key if the same key applies to all TACACS servers the switch may use for authentication attempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 4 26 To configure north01 as a global encryption key ProCurve ...

Page 149: ...ring The keystring parameter is the encryption key in clear text Note The show tacacs command lists the global encryption key if configured However to view any configured per server encryption keys you must use show config or show config running if you have made TACACS configuration changes without executing write mem Configuring the Timeout Period The timeout period specifies how long the switch ...

Page 150: ... 4 8 above after either switch detects an operator s logon request from a remote or directly connected terminal the following events occur 1 The switch queries the first choice TACACS server for authentication of the request If the switch does not receive a response from the first choice TACACS server it attempts to query a secondary server If the switch does not receive a response from any TACACS...

Page 151: ...o local authentica tion only if one of these two conditions exists Local is the authentication option for the access method being used TACACS istheprimaryauthenticationmodefortheaccessmethodbeing used However the switch was unable to connect to any TACACS servers or no servers were configured AND Local is the secondary authentica tion mode being used For a listing of authentication options see tab...

Page 152: ...assignment in the TACACS server application that applies to all TACACS aware devices for which an individual key has not been configured Server Specific key A unique key assignment in the TACACS server application that applies to a specific TACACS aware device Note Configure a key in the switch only if the TACACS server application has this exact same key configured for the switch That is if the k...

Page 153: ...al key in the switch ProCurve config tacacs server key north40campus Suppose that you subsequently add a third TACACS server with an IP address of 10 28 227 87 that has south10campus for an encryption key Because this key is different than the one used for the two servers in the previous example youwill needtoassigna server specifickey in the switchthatapplies only to the designated server ProCurv...

Page 154: ...tch was not able to contact the first choice TACACS server and is now attempting to contact the next secondary TACACS server identified in the switch s tacacs server configuration Invalid password The system does not recognize the username or the password or both Depending on the authentication method tacacs or local either the TACACS server application did not recognize the username password pair...

Page 155: ...xcludes because independent of TACACS the switch already denies access to such stations When TACACS is not enabled on the switch or when the switch s only designatedTACACS serversare notaccessible settingalocalOperator password without also setting a local Manager password does not protect the switch from manager level access by unauthorized persons When using the copy command to transfer a config...

Page 156: ...TACACS Authentication Operating Notes 4 30 ...

Page 157: ...US To Protect 5 10 2 Enable the Optional Access Privilege Option 5 13 3 Configure the Switch To Access a RADIUS Server 5 15 4 Configure the Switch s Global RADIUS Parameters 5 17 Using SNMP To View and Configure Switch Authentication Features 5 21 Changing and Viewing the SNMP Access Configuration 5 22 Local Authentication Process 5 24 Controlling Web Browser Interface Access 5 25 Commands Authori...

Page 158: ...witch To Access a RADIUS Server 5 38 2 Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server 5 40 3 Optional Configure Session Blocking and Interim Updating Options 5 42 Viewing RADIUS Statistics 5 43 General RADIUS Statistics 5 43 RADIUS Authentication Statistics 5 45 RADIUS Accounting Statistics 5 46 Changing RADIUS Server Access Order 5 47 Messages Related to RADI...

Page 159: ...each RADIUS server employed For authentication this allows a different password for each user instead of having to rely on maintaining and distributing switch specific passwords to all users For accounting this can help you track network resource usage Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the ProCurve switch Serial...

Page 160: ...upport these optional RADIUS assigned attributes 802 1p CoS priority assignment to inbound traffic on the specified port s port access authentication only Per Port Rate Limiting on a port with an active link to an authenti cated client port access authentication only SNMP Access to the Switch s Authentication Configuration MIB The switch s default configuration allows SNMP access to the hpSwitchAu...

Page 161: ...n as an EAP type such as MD5 Challenge Generic Token Card and TLS Transport Level Security EXEC Session a service EXEC shell granted to the authenticated login user for doing management operations on the ProCurve device Host See RADIUS Server NAS Network Access Server In this case a ProCurve switch configured for RADIUS security operation RADIUS Remote Authentication Dial In User Service a protoco...

Page 162: ...er in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5 47 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access type In the ProCurve switch EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server When primary secondary authentic...

Page 163: ...ches covered in this guide Figure 5 1 Example of Possible RADIUS Access Assignments Determine the IP address es of the RADIUS server s you want to support the switch You can configure the switch for up to three RADIUS servers If you need to replace the default UDP destination port 1812 the switch uses for authentication requests to a specific RADIUS server select it before beginning the configurat...

Page 164: ...ncludes in its authentication message to the switch Refer to 2 Enable the Optional Access Privilege Option on page 5 13 Configure RADIUS on the server s used to support authentication on the switch Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication 5 10 console telnet ssh web enable login local radius 5 10 web based mac based chap radius peap ra...

Page 165: ...5 10 3 Configure the switch for accessing one or more RADIUS servers one primary server and up to two backup servers Note This step assumes you have already configured the RADIUS server s to support the switch Refer to the documentation provided with the RADIUS server documentation Server IP address Optional UDP destination port for authentication requests default 1812 recommended Optional UDP des...

Page 166: ...vailable and then try to log on again Number of Login Attempts This is actually an aaa authentication command It controls how many times per session a RADIUS client and clients using other forms of access can try to log in with the correct username and password Default Three times per session For RADIUS accounting features refer to Configuring RADIUS Accounting on page 5 35 1 Configure Authenticat...

Page 167: ...in chap radius peap mschapv2 Password authentication for web based or mac based port access to the switch Use peap mschapv2 when you want pass word verification without requiring access to a plain text password it is more secure Default chap radius none authorized Provides options for secondary authentication The none option specifies that a backup authentication method is not used The authorized ...

Page 168: ...Privilege Disabled Login Login Enable Enable Access Task Primary Secondary Primary Secondary Console Local None Local None The access methods Telnet Local None Local None with secondary authentication Port Access Local Authorized N A N A configuredasauthorized Webui Local None Local None allows the client access SSH Local None Local None tothenetworkevenifthe Web Auth ChapRadius Authorized N A N A...

Page 169: ...en clients connected to your network can gain access to either the Operator or Manager level without encountering the RADIUS authentication specified for Enable Primary Refer to Local Authentication Process on page 5 24 2 Enable the Optional Access Privilege Option In the default RADIUS operation the switch automatically admits any authen ticatedclienttothe Login Operator privilege level even if t...

Page 170: ...her Type Any ValueExcept 6 or 7 Access Denied This feature applies to console serial port Telnet SSH and web browser interface access to the switch It does not apply to 802 1X port access Notes While this option is enabled a Service Type value other than 6 or 7 or an unconfigured null Service Type causes the switch to deny access to the requesting client The no form of the command returns the swit...

Page 171: ...ses The switch uses the first server it successfully accesses Refer to Changing the RADIUS Server Access Order on page 5 47 auth port port number Optional Changes the UDP destination port for authenti cation requests to the specified RADIUS server host If you do not use this option with the radius server host command the switch automatically assigns the default authentication port number The auth ...

Page 172: ...authentication to break when the startup configuration file was loaded back onto the switch You now can save the configured RADIUS shared secret encryption key to a configuration file by entering the following commands include credentials write memory For more information see Saving Security Credentials in a Config File on page 2 10 in this guide no radius server host ip address key Use the no for...

Page 173: ...ration Compare this with Figure 5 5 Sample Configuration for RADIUS Server After Changing the Key and Adding Another Server To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5 47 4 Configure the Switch s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters Number of login attempts In a gi...

Page 174: ...cation from a server that has not responded to previous requests Retransmit attempts If the first attempt to contact a RADIUS serverfails specifieshowmanyretriesyouwanttheswitchtoattempt on that server Syntax aaa authentication num attempts 1 10 Specifies how many tries for entering the correct user name and password before shutting down the session due to input errors Default 3 Range 1 10 no radi...

Page 175: ...ss being attempted console Telnet or SSH If this occurs refer to RADIUS Related Problems in the Troubleshooting chapter of the Manage ment and Configuration Guide for your switch For example suppose that your switch is configured to use three RADIUS serversforauthenticatingaccessthroughTelnetandSSH Twooftheseservers use the same encryption key In this case your plan is to configure the switch with...

Page 176: ...session Global RADIUS parameters from figure 5 6 These two servers will use the global encryption key Server specific encryption key for the RADIUS server that will not use the global encryption key Note The Webui access task shown in this figure is available only ontheswitches coveredin this guide Figure 5 7 Listings of Global RADIUS Parameters Configured In Figure 5 6 5 20 ...

Page 177: ...authentication features listed above excluding usernames passwords and keys Using SNMPsets a managementdevicecanchangetheauthenticationconfiguration includingchangesto usernames passwords andkeys Operatorread write access to the authentication MIB is always denied All usernames passwords and keys configured in the hpSwitchAuth MIB are not returned via SNMP and the response to SNMP queries for such...

Page 178: ...hentication configuration MIB in the Excluded MIBs field For example to disable SNMP access to the switch s authentication MIB and then display the result in the Excluded MIB field you would execute the following two commands ProCurve config snmp server mib hpswitchauthmib excluded ProCurve config show snmp server SNMP Communities Community Name MIB View Write Access public Manager Unrestricted Tr...

Page 179: ... Configuration Editor Created on release W 14 XX hostname ProCurve snmp server mib hpSwitchAuthMIB excluded ip default gateway 10 10 24 55 snmp server community public Operator vlan 1 IndicatesthatSNMPaccesstothe authentication configuration MIB hpSwitchAuth is disabled name DEFAULT_VLAN untagged A1 A24 B1 B4 ip address 10 10 24 100 255 255 255 0 exit password manager Figure 5 9 Using the show run...

Page 180: ...requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level of the swit...

Page 181: ...ed in this guide Configure local authentication a Manager user name and password and optionally an Operator user name and password on the switch Configure the switch s Authorized IP Manager feature to allow web browser access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Use one of the following methods to disable web browser ac...

Page 182: ... for a user by enabling AAA RADIUS authorization The NAS uses the information set up on the RADIUS server to control the user s access to CLI commands The authorization type implemented on the switches covered in this guide is the commands method This method explicitly specifies on the RADIUS server which commands are allowed on the client device for authenticated users This is done on a per user ...

Page 183: ...ation information For example to enable the RADIUS protocol as the authorization method ProCurve config aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password the RADIUS server sends an Access Accept packet that contains two attributes the command list and the command exception flag When an authenticated user enters a command on the switch the switch e...

Page 184: ...Attributes VSAs Some RADIUS based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server RADIUS Access Accept packets sent to the switch may contain the vendor specific informa tion The attributes supported with commands authorization are HP Command String List of commands regular expressions that are permitted or denied execution by the user The comm...

Page 185: ...tOthers 1 Authenticated user may execute all commands except those in the Commands list Commands List PermitList DenyOthers 0 Authenticated user can execute only those commands provided in the Commands List plus the default commands Commands List Not present Authenticated user can only execute commands from the Commands List plus the default commands Empty Commands Not present Authenticate user ca...

Page 186: ...le for example hp ini containing the HP VSA definitions as shown in the example below User Defined Vendor The Name and IETF vendor code and any VSAs MUST be unique One or more VSAs named max 255 Each named VSA requires a definition section Types are STRING INTEGER IPADDR The profile specifies usage IN for accounting OUT for authorization MULTI if more than a single instance is allowed per RADIUS m...

Page 187: ...it is not running as it can prevent registry backup restore operations Are you sure you want to proceed Y or N y Parsing hp ini for addition at UDV slot 0 Stopping any running services Creating backup of current config Adding Vendor HP added as RADIUS HP Done Checking new configuration New configuration OK Re starting stopped services 4 Start the registry editor regedit and browse to HKEY_LOCAL_MA...

Page 188: ...d String VSA for RADIUS accounting 1 Select System Configuration 2 Select Logging 3 Select CSV RADIUS Accounting In the Select Columns to Log section add the HP Command String attribute to the Logged Attributes list 4 Select Submit 5 Select Network Configuration In the AAA Clients section select an entry in the AAA Client Hostname column You will go to the AAA Client Setup screen 6 Check the box f...

Page 189: ...E Hp Command Exception 3 integer Hp Hp Command Exception Attribute Values VALUE Hp Command Exception Permit List 0 VALUE Hp Command Exception Deny List 1 2 Find the location of the dictionary files used by FreeRADIUS try usr local share freeradius 3 Copy dictionary hp to that location Open the existing dictionary file and add this entry INCLUDE dictionary hp 4 You can now use HP VSAs with other at...

Page 190: ...o return to the switch for a client session HP acct terminate cause A ProCurve proprietary RADIUS accounting attribute that allows a switch to report to the RADIUS server why an authentication session was terminated This informa tion allows customers to diagnose network operational problems and generate reports on terminated sessions This attribute provides extended information on the statistics p...

Page 191: ...ort the switch If you have not already done so refer to General RADIUS Setup Procedure on page 5 7 before continuing here RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch such as a logoff or a reboot The switches covered in this guide support four types of accounting services Network accounting Provides ...

Page 192: ... s IP address after the client is authenticated DHCP snooping is queried for the IP address of the client so DHCP snooping must be enabled for the VLAN of which the client is a member When the switch begins communications with the RADIUS server it sends the IP address of the client requesting access to the RADIUS server as RADIUS Attribute 8 Framed IP Address in the RADIUS accounting request The R...

Page 193: ...rveraccessfailsduring a session it will not receive accounting data transmitted from the switch Steps for Configuring RADIUS Accounting 1 Configure the switch for accessing a RADIUS server You can configure a list of up to three RADIUS servers one primary two backup The switch operates on the assumption that a server can operate in both accounting and authentication mode Refer to the documentation...

Page 194: ...name access to the switch 1 Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters you should first configure the switch to use a RADIUS server This is the same as the process described on page 5 15 You need to repeat this step here only if you have not yet configured the switch to use a RADIUS server your server data has changed or you need to specify...

Page 195: ...turn to page 5 15 For example suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes IP address 10 33 18 151 A non default UDP port number of 1750 for accounting For this example assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings and that RADIUS is already configu...

Page 196: ...counting data it currently has when one of the above events occurs Network Use Network if you want to collect accounting information on 802 1X port based access users connected to the physical ports on the switch to access the network See also Accounting Services on page 4 Commands When commands authorization is enabled a record accounting notice is sent after the execution of a command Web or MAC...

Page 197: ...ted data only whenthere is a reboot reload or accounting on off event Syntax no aaa accounting exec network system commands start stop stop only radius Configures RADIUS accounting type and how data will be sent to the RADIUS server For example to configure RADIUS accounting on the switch with start stop for exec functions and stop only for system functions Configuresexecandsystem accounting and c...

Page 198: ... accounting update periodic 1 525600 Sets the accounting update period for all accounting ses sions on the switch The no form disables the update function and resets the value to zero Default zero dis abled Syntax no aaa accounting suppress null username Disables accounting for unknown users having no user name Default suppression disabled To continue the example in figure 5 12 suppose that you wa...

Page 199: ...DIUS configuration including the server IP addresses Optional form shows data for a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Configuring RADIUS Accounting on page 5 35 Figure 5 14 Example of General RADIUS Information from Show Radius Command 5 43 ...

Page 200: ...those in which they remain the same Timeouts The number of accounting timeouts to this server After a timeout the client may retry to the same server send to a different server or give up A retry to the same server is counted as a retransmit as well as a timeout A send to a different server is counted as an Accounting Request as well as a timeout Malformed Responses The number of malformed RADIUS ...

Page 201: ...ntication Statistics Syntax show authentication Displays the primary and secondary authentication meth ods configured for the Console Telnet Port Access 802 1X and SSH methods of accessing the switch Also displays the number of access attempts currently allowed in a session show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch s interactions wit...

Page 202: ... Lists configured accounting interval Empty User suppres sion status accounting types methods and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch Figure 5 18 Listing the Accounting Configuration in the Switch 5 46 ...

Page 203: ...list Adding or deleting a RADIUS server IP address leaves an empty position but does not change the position of any other server addresses in the list For example if you initially configure three server addresses they are listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed...

Page 204: ...DIUS Server To exchange the positions of the addresses so that the server at 10 10 10 003 will be the first choice and the server at 10 10 10 001 will be the last you would do the following 1 Delete 10 10 10 003 from the list This opens the third lowest position in the list 2 Delete 10 10 10 001 from the list This opens the first highest position in the list 3 Re enter 10 10 10 003 Because the swi...

Page 205: ...addresses from the RADIUS server list Inserts the 003 address in the first position in the RADIUS server list and inserts the 001 address in the last position in the list Shows the new order in which the switch searches for a RADIUS server Figure 5 22 Example of New RADIUS Server Search Order 5 49 ...

Page 206: ...tly configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for ...

Page 207: ...ate Limits 6 4 Configuration Specified by a RADIUS Server 6 5 Configuring and Using RADIUS Assigned Access Control Lists 6 8 Introduction 6 8 Terminology 6 8 Overview of RADIUS Assigned Dynamic ACLs 6 11 Static ACLs 6 12 ACL to a Switch Port 6 13 General ACL Features Planning and Configuration 6 14 The Packet filtering Process 6 15 Operating Rules for RADIUS Assigned ACLs 6 16 Configuring an ACL i...

Page 208: ...witch To Support RADIUS Assigned ACLs 6 23 Displaying the Current RADIUS Assigned ACL Activity Causes of Client Deauthentication Immediately on the Switch 6 25 ICMP Type Numbers and Keywords 6 27 Event Log Messages 6 28 After Authenticating 6 29 Monitoring Shared Resources 6 29 6 2 ...

Page 209: ...er 6 RADIUS Authentication and Accounting Optional PCM and IDM Applications ProCurve Manager is a Windows based network management solution for all manageable ProCurve devices It provides network mapping and polling capabilities device auto discovery and topology tools for device configuration and management monitoring network traffic and alerts and troubleshooting information for ProCurve network...

Page 210: ...Limiting applied to all clients on the port are those that are assigned by RADIUS for the most recently authenticated client Service Control Method and Operating Notes 802 1p CoS Priority Assignments on Inbound Traffic This feature assigns a RADIUS specified 802 1p priority to all inbound packets received on a port supporting an authenticated client Vendor Specific Attribute configured in the RADI...

Page 211: ...onfigured on the client s port on the ProCurve switch For more on Rate Limiting refer to Rate Limiting in the Port Traffic Controls chapter of the Management and Configuration Guide for your switch Applied Rates for RADIUS Assigned Rate Limits On the switches covered by this guide rate limits are applied incrementally as determined by the RADIUS applied rate For any given bandwidth assign ment the...

Page 212: ...100 Mbps 1 200 000 50 000 Kbps 1 300 000 100 Mbps 1 300 000 0 Viewing the Currently Active Per Port CoS and Rate Limiting Configuration Specified by a RADIUS Server While a port access authenticated client session is active any RADIUS imposed port settings override their counterparts in the port s configuration For example if the switch configuration allows port B1 a rate limit of 80 of the port s...

Page 213: ... show qos port priority displays for all port access authentica tion methods 802 1X Web Auth and MAC Auth the status of RADIUS imposed overrides of the switch s per port CoS 802 1p priority for inbound packets ProCurve config show rate limit all Port 2 has a rate limit of 500 Kbps with no RADIUS override Inbound Rate Limit Maximum Port 3 has a 50 percent rate limit which is 50 of the port s availa...

Page 214: ...ority most recently configured for application to packets with that codepoint The 5 in the Radius Override column indicates that there is currently at least one authenticated client session on port B4 and that the most recent RADIUS imposed CoS priority for the port is 5 which overrides the configured DSCP setting See also the following Note Figure 6 2 Example of Displaying Inbound CoS 802 1p Prio...

Page 215: ...refer to chapter 9 IPv4 Access Control Lists ACLs Terminology ACE See Access Control Entry below Access Control Entry ACE An ACE is a policy consisting of a packet handling action and criteria to define the packets on which to apply the action For RADIUS assigned ACLs the elements composing the ACE include permit or drop action in ip packet type from any source to ip address mask any destination p...

Page 216: ...namic Port ACL See RADIUS Assigned ACL Implicit Deny If the switch finds no matches between an inbound packet and the configured criteria in an applicable ACL then the switch denies drops the packet with an implicit deny IP any any operation You can preempt the implicit deny IP any any in a given ACL by configuring permit in ip from any to any as the last explicit ACE in the ACL Doing so permits a...

Page 217: ...port to filter inbound IP traffic from a specific client authenticated by the server for that port Static Port ACL An ACL statically configured on a specific port group of ports or trunk A static port ACL filters all incoming traffic on the port regardless of whether it is switched or routed VSA Vendor Specific Attribute A value used in a RADIUS based config uration to uniquely identify a networki...

Page 218: ...ntering the switch from clients that authenticate with the unique credentials The switch allows multiple RADIUS assigned ACLs on a given port up to the maximum number of authenticated clients allowed on the port A RADIUS assigned ACL filters IP traffic entering the switch from the client whose authentication initiated the ACL assignment Filtering criteria is based on destination and or IP traffic ...

Page 219: ...nt accounts on a RADIUS server Designed for use on the edge of the network where filtering of IP traffic entering the switch from individual authenticated clients is most important and where clients with differing access requirements are likely to use the same port Implementation requires client authentication Identified by the credentials username password pair or the MAC address of the specific ...

Page 220: ...enticated clients The traffic source is not a configurable setting ACEs allow a counter cnt option that causes a counter to increment when there is a packet match Supports static ACLs Supports standard and extended ACLs A static port ACL applied on a port filters all traffic entering the switch through that port No client authentication requirement ACEs allow a log option that generates a log mess...

Page 221: ...efault ip deny any any applies to all other IPv4 traffic On a given port RADIUS assigned ACL filtering applies to all IPv4 traffic once a client is authenticated Multiple Clients Sharing the Same RADIUS Assigned ACL When multiple clients supported by the same RADIUS server use the same creden tials they will all be serviced by different instances of the same ACL The actual IP traffic inbound from ...

Page 222: ...guring ACLs on page 9 18 The Packet filtering Process Packet Filtering in an applied ACL is sequential from the first ACE in the ACL to the implicit deny any following the last explicit ACE This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration For details of this process refer to IPv4 Static ACL Operation in c...

Page 223: ...ected if a given client s authenti cation results in a RADIUS assigned ACL assignment then the authenti cation of the other client concurrently using the port must also include a RADIUS assignedACLassignment Thus ifaRADIUSserverisconfigured to assign a RADIUS assigned ACL when client X authenticates but is not configured to do the same for client Y then traffic from client Y will be blocked whenev...

Page 224: ...ch Assigns a RADIUS configured ACL to filter inbound packets received from a specific client authenticated on a switch port Standard Attribute 92 This is the preferred attribute for use in RADIUS assigned ACLs to configure ACEs to filter IPv4 traffic Entry for IPv4 Only ACE To Filter Client Traffic Nas filter Rule permit or deny ACE Standard Attribute 92 For example Nas filter Rule permit in tcp f...

Page 225: ...rd or drop the identified IP traffic type from the authenticated client For information on explicitly permitting or denying all inbound IP traffic from an authenticated client or for implicitly denying all such IP traffic not already permitted or denied refer to Configuration Notes on page 6 24 in Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated c...

Page 226: ...ddress where the first three octets are 10 100 17 The fourth octet is a wildcard and can be any value up to 255 tcp udp port tcp udp port range Optional TCP or UDP port specifier Used when the ACE is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers You can specify port numbers as individual values and or ranges For example the following ACE...

Page 227: ...e or more ACEs in the FreeRADIUS users file Remember that every ACL you create automatically includes an implicit deny in ip from any to any ACE For example suppose that you wanted to create identical ACL support for the following a client having a username of mobilE011 and a password of run10kFast a client having a MAC address of 08 E9 9C 4F 00 19 The ACL in this example must achieve the followin...

Page 228: ... server supporting the switch must be identical Refer to secret 1234 the chapter titled RADIUS Authentication and Accounting in the Access Security Guide for your switch Figure 6 5 Example of Configuring the Switch s Identity Information in a FreeRADIUS Server 3 For a given client username password pair or MAC address create anACL by entering one or more ACEs in the FreeRADIUS users file Enter the...

Page 229: ...hentication this address is used in both the username and password spaces in the entry Figure 6 6 Example of Configuring the FreeRADIUS Server To Support ACLs for the Indicated Clients Format Details for ACEs Configured in a RADIUS Assigned ACL Any instance of a RADIUS assigned ACL is structured to filter authenticated client traffic as follows Applies only to inbound client traffic on the switch ...

Page 230: ... an authenti cated user It pre empts the implicit deny in ip from any to any ACE and permits packets not explicitly permitted or denied by earlier ACEs in the list Configuring the Switch To Support RADIUS Assigned ACLs An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support When a client authenticates wit...

Page 231: ...st aaa authentication port access chap radius aaa port access authenticator active These commands configure 802 1X port based access control on the switch and activates this feature on the specified ports For more on 802 1X configuration and operation refer to chapter 12 Configuring Port Based and User Based Access Control 802 1X in this guide MAC Authentication Option Syntax aaa port access mac b...

Page 232: ...RADIUS assigned ACL to the client port then the server does not have a valid ACL configured and assigned to that client s authentication credentials For example the following output shows that a RADIUS server has assigned an ACL to port B1 to filter inbound traffic from an authenticated client identified by a MAC address of 00 11 85 C6 54 7D Indicates MAC address identity of the authenticated clie...

Page 233: ...dwidth More Effectively in the Advanced Traffic Configuration Guide 0 7 Indicates that the displayed 802 1p priority has been assigned by a RADIUS server to inbound traffic on the indicated port for a currently active authenticated client session This assignment remains active until the session ends Kbps In Limit Indicates the ingress rate limit assigned by the RADIUS server to the port for traffi...

Page 234: ...Dir 2 1 0 1 7 90 No In 3 1 0 1 5 50 Yes In Figure 6 8 Example of Output Showing Current RADIUS Applied Features ICMP Type Numbers and Keywords Below are the possible optional ICMP type specifiers for the icmp type param eter Table 6 5 ICMP Type Numbers and Keywords IPv4 ICMP Keyword 0 3 4 5 8 9 10 11 12 13 14 15 16 17 18 echo reply destination unreachable source quench redirect echo request router...

Page 235: ...ort NotifiesthattheACEentrycouldnotbeaddedtotheinternal ACL storage Notifies that the ACL could not be added to the internal ACL storage Notifies that the ACL could not be added because the per port ACL quantity would be exceeded Notifies of a problem with the IN keyword in the indicated ACE of the access list for the indicated client on the indicated switch port Notifies of a problem with the pro...

Page 236: ... An IP protocol number in the ACE exceeds 255 An optional UDP or TCP port number is invalid or a UDP TCP port number is specified when the protocol is neither UDP or TCP A RADIUS assigned ACL limit has been exceeded An ACE in the ACL for a given authenticated client exceeds 80 characters TheTCP UDPport rangequantity of14perslotorportgrouphasbeen exceeded Monitoring Shared Resources Currently activ...

Page 237: ...erator and Enable Manager Password 7 8 2 Generating the Switch s Public and Private Key Pair 7 9 Configuring Key Lengths 7 12 3 Providing the Switch s Public Key to Clients 7 12 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 7 15 5 Configuring the Switch for SSH Authentication 7 19 6 Use an SSH Client To Access the Switch 7 23 Further Information on SSH Client Public Key...

Page 238: ...ticated transactions The authentication types include Client public key authentication Switch SSH and user password authentication Client Public Key Authentication Login Operator Level with User Password Authentication Enable Manager Level This option uses one or more public keys from clients that must be stored on the switch Only a client with a private key that matches a stored public key can ga...

Page 239: ... switch with SSH enabled Key Pair A pair of keys generated by the switch or an SSH client application Each pair includes a public key that can be read by anyone and a private key held internally in the switch or by a client PEM Privacy Enhanced Mode Refers to an ASCII formatted client public key that has been encoded for portability and efficiency SSHv2 client public keys are typically stored in t...

Page 240: ...Prerequisite for Using SSH Before using the switch as an SSH server you must install a publicly or commercially available SSH client application on the computer s you use for management access to the switch If you want client public key authentication page 7 2 then the client program must have the capability to generate or import keys Public Key Formats Any client application you use for client pu...

Page 241: ...or none Level ssh enable radius Yes No Yes local or none 1 For ssh login public key the switch uses client public key authentication instead of the switch password options for primary authentication The general steps for configuring SSH include A Client Preparation 1 Install an SSH client application on a management station you want to use for access to the switch Refer to the documentation provid...

Page 242: ...n all cases the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none If the primary option is local the secondary option must be none Option B Primary Client public key authentication login public key page 7 23 Secondary none Note that if y...

Page 243: ...g command Once you generate a key pair on the switch you should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches The switch does not support outbound SSH sessions Thus if you...

Page 244: ...pto key generate zeroize autorun key rsa 7 10 ip ssh 7 16 cipher cipher type 7 17 filetransfer 7 17 mac 7 17 port 1 65535 default 7 16 timeout 5 120 7 16 login local tacacs radius public key 7 20 7 21 local none 7 20 enable tacacs radius local 7 20 local none 7 20 copy tftp pub key file tftp server IP 7 26 clear crypto client public key keylist str 7 27 1 Assigning a Local Login Operator and Enabl...

Page 245: ...o connect to the switch The host key pair is stored in the switch s flash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the SSH clients which should have access to the switch Some SSH client appli cations automatically add the switch spublic key to a knownhosts file Other SSH applicat...

Page 246: ... continue to run unless explicitly terminated with the CLI kill command To Generate or Erase the Switch s Public Private Host Key Pair Because the host key pair is stored in flash instead of the running config file it is not necessary to use write memory to save the key pair Erasing the key pair automatically disables SSH Syntax crypto key generate autorun key rsa cert rsa keysize ssh dsa rsa bits...

Page 247: ...e Public Key on page 7 14 fingerprint Displays fingerprints of the switch s public key in hexadecimal format See Displaying the Public Key on page 7 14 For example to generate and display a new key Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 7 5 Example of Generating a Public Private Host Key Pair for the Switch The show crypto host public key displa...

Page 248: ...he size is represented by the keysize parameter and has the values shown in Table 7 2 The default value is used if keysize is not specified Table 7 2 RSA DSA Values for Various ProCurve Switches Platform Maximum RSA Key Size in bits DSA Key Size in bits 5400 3500 6200 8200 2910 1024 2048 3072 1024 Default 2048 4200 2900 2810 2610 2510 1024 2048 1024 Default 2048 5300 2800 3400 2600 896 512 3 Provi...

Page 249: ...tch is always 896 bits With a direct serial connection from a management station to the switch 1 Use a terminal application such as HyperTerminal to display the switch s public key with the show crypto host public key command figure 7 5 2 Bring up the SSH client s known host file in a text editor such as Notepad as straight ASCII text and copy the switch s public key into the file 3 Ensure that th...

Page 250: ...eed to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 7 7 on page 7 13 Phonetic hash Out...

Page 251: ...e switch always uses ASCII version without babble or fingerprint conversion of its public key for file storage and default display format 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to SS...

Page 252: ...e for a man in the middle attack that is for an unauthorized device to pose undetected as the switch and learn the usernames and passwords controlling access to the switch This possibility can be removed by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This requires a k...

Page 253: ...r aes192 ctr aes256 ctr Default All cipher types are available Use the no form of the command to disable a cipher type filetransfer Enable disable secure file transfer capability SCP and SFTP secure file transfer will not function unless SSH is also enabled mac mac type Allows configuration of the set of MACs that can be selected Valid types are hmac md5 hmac sha1 hmac sha1 96 hmac md5 96 Default ...

Page 254: ...except those reserved for other purposes Examples of reserved IP ports are 23 Telnet and 80 http Some other reserved TCP ports on the switch are 49 80 1506 and 1513 ProCurve config ip ssh Enable SSH ProCurve config show ip ssh SSH Enabled Yes Secure Copy Enabled No TCP Port Number 22 Timeout sec 120 Host Key Type RSA Host Key Size 1024 Ciphers aes128 cbc 3des cbc aes192 cbc aes256 cbc rijndael cbc...

Page 255: ...iguration Guide To protect against unauthorized access to the serial port and the Clear button which removes local password protection keep physical access to the switch restricted to authorized per sonnel 5 Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch s public key by an SSH client However only Option B below results in ...

Page 256: ...cess without authentication Option B Configuring the Switch for Client Public Key SSH Authentication If configured with this option the switch uses its public key to authenticate itself to a client but the client must also provide a client public key for the switch to authenticate This option requires the additional step of copying a client public key file from a TFTP server into the switch This m...

Page 257: ...SH clients public keys is stored in flash memory on the switch You also can save SSH client public key configurations to a configuration file by entering the following commands include credentials write memory For more information about saving security credentials to a configuration file see Saving Security Credentials in a Config File on page 2 10 in this guide For example assume that you have a ...

Page 258: ...ion ssh login public key none ProCurve config aaa authentication ssh enable tacacs local ProCurve config coy tftp pub key file 10 33 18 117 ProCurve config write memory Copies a public key file named Client Keys pub into the switch Figure 7 11 Configuring for SSH Access Requiring a Client Public Key Match and Manager Passwords Figure 7 12 shows how to check the results of the above commands Lists ...

Page 259: ...s for authenticating clients This requires storing an ASCII version of each client s public key without babble conversion or fingerprint conversion in a client public key file that you create and TFTP copy to the switch In this case only clients that have a private key corresponding to one of the stored public keys can gain accesstotheswitchusingSSH That is if you use this feature only the clients...

Page 260: ...client 5 The client uses its private key to decrypt the byte sequence 6 The client then a Combines the decrypted byte sequence with specific session data b Uses a secure hash algorithm to create a hash version of this informa tion c Returns the hash version to the switch 7 The switch computes its own hash version of the data from step 6 and compares it to the client s hash version If they match th...

Page 261: ...t application for details The switch supports the following client public key properties Property Supported Value Comments Key Format ASCII See figure 7 7 on page 7 13 The key must be one unbroken ASCII string If you add more than one client public key to a file terminate each key except the last one with a CR LF Spaces are allowed within the key to delimit the key s components Note that unlike th...

Page 262: ...one with a CR LF N o t e o n P u b l i c The actual content of a public key entry in a public key file is determined by K e y s the SSH client application generating the key Although you can manually add or edit any comments the client application adds to the end of the key such as the smith support cairns com at the end of the key in figure 7 13 on page 7 25 Syntax copy tftp pub key file ipv4 add...

Page 263: ...ethod for copying a public key file to the switch For example if you wanted to copy a client public key file named clientkeys txt from a TFTP server at 10 38 252 195 and then display the file contents Key Index Number Figure 7 14 Example of Copying and Displaying a Client Public Key File Containing Two Different Client Public Keys for the Same Client Replacing or Clearing the Public Key File The c...

Page 264: ...ey matches the switch s client public key file allow that client access to the switch If there is not a public key match then deny access to that client Syntax aaa authentication ssh login public key none Allows SSH client access only if the switch detects a match between the client s public key and an entry in the client public key file most recently copied into the switch C a u t i o n To enable...

Page 265: ... to download new file The ip ssh port command has attempted to configure a reserved TCP port Use the default or select another port number See Note on Port Number on page 7 18 The client key does not exist in the switch Use copy tftp to download the key from a TFTP server Download failed overlength key in key file Download failed too many keys in key file Download failed one or more keys is not a ...

Page 266: ...ey Logging Messages There are event log messages when a new key is generated and zeroized for the server ssh New num bits bit rsa dsa SSH host key installed ssh SSH host key zeroized There are also messages that indicates when a client public key is installed or removed ssh num bits bit rsa dsa client public key installed removed manager operator access key_comment Note Only up to 39 characters of...

Page 267: ...d 8 7 2 Generating the Switch s Server Host Certificate 8 8 To Generate or Erase the Switch s Server Certificate Generate a Self Signed Host Certificate with the Web Generate a CA Signed server host certificate with the with the CLI 8 9 Comments on Certificate Fields 8 10 browser interface 8 12 Web browser interface 8 15 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior 8 ...

Page 268: ...d SSL provides all the web functions but unlike standard web access SSL provides encrypted authenticated transactions The authentication type includes server certificate authentication with user password authentication Not e SSL in the switches covered in this guide is based on the OpenSSL software toolkit For more information on OpenSSL visit www openssl com Server Certificate authentication with...

Page 269: ...st certificate and private portion is stored in switch flash not user accessible Digital Certificate A certificate is an electronic passport that is used to establish the credentials of the subject to which the certificate was issued Information contained within the certificate includes name of the subject serial number date of validity subject s public key and the digital signature of the authori...

Page 270: ...ger privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level pass word configured in the switch SSL Enabled 1 A certificate key pair has been generated on the switch web interface or CLI command crypto key generate cert key size 2 A certificate been generated on the switch web interface or CLI command crypto host cert ge...

Page 271: ...st versions of Microsoft Internet Explorer and Netscape web browser support SSL and TLS functionality See browser documentation for additional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 8 7 2 Generate a host certificate on the switch page 8 8 i Generate certificate key pair ii Generate host certificate You need to do this only once The swi...

Page 272: ...e you will have to re introduce the switch s certificate on all management stations clients you previously set up for SSL access to the switch In some situations this can temporarily allow security breaches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config command The public priva...

Page 273: ...signing a Local Login Operator and Enabling Manager Password At a minimum ProCurve recommends that you always assign at least a Manager password to the switch Otherwise under some circumstances anyone with Telnet web or serial port access could modify the switch s configuration Using the web browser interface To Configure Local Passwords You can configure both the Operator and Manager password on ...

Page 274: ...d passwords can be up to 16 printable ASCII characters 3 Click on Apply Changes button to activate the user names and passwords 2 Generating the Switch s Server Host Certificate You must generate a server certificate on the switch before enabling SSL The switch uses this server certificate along with a dynamically generated session key pair to negotiate an encryption method and session with a brow...

Page 275: ...CA certificate and can be verified unequivocally Not e There is usually a fee associated with receiving a verified certificate and the valid dates are limited by the root certificate authority issuing the certificate When you generate a certificate key pair and or certificate on the switch the switch places the key pair and or certificate in flash memory and not in running config Also the switch m...

Page 276: ...ertificate from the CLI i Generate a certificate key pair This is done with the crypto key generate cert command The default key size is 512 Not e If a certificate key pair is already present in the switch it is not necessary to generate a new key pair when generating a new certificate The existing key pair may be re used and the crypto key generate cert command does not have to be executed ii Gen...

Page 277: ...ce Organizational Unit This is the name of the sub entity e g department where the switch is in service City or location This is the name of the city where switch is in service State name Thisisthenameofthestateorprovincewhereswitchisinservice Country code This is the ISO two letter country code where switch is in service For example to generate a key and a new host certificate Generate New Key En...

Page 278: ...command For example to display the new server host certificate Show host certificate command Figure 8 4 Example of show crypto host cert command Generate a Self Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface For more information on how to access the web browser interface refer to the chapter titled Using the ProCurve Web Browser Interfac...

Page 279: ... Generate Certificate button iii Select Self signed certificate in the type box iv Select the RSA key size desired If you do not wish to generate a new key then just select current from the list v Fill in remaining certificate arguments refer to To Generate or Erase the Switch s Server Certificate with the CLI on page 8 9 vi Click on the Apply Changes button to generate a new certificate and key i...

Page 280: ... certificate via the web browsers inter face Certificate Type Box Key Size Selection Certificate Arguments Figure 8 5 Self Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface 1 Proceed to the Security tab 2 Then the SSL button 8 14 ...

Page 281: ...r interface For more information on how to access the web browser interface refer to the chapter titled Using the ProCurve Web Browser Interface in the Man agement and Configuration Guide for your switch The installation of a CA signed certificate involves interaction with other entities and consists of three phases The first phase is the creation of the CA certificate request which is then copied...

Page 282: ...ist iv Select the key size from the RSA Key Size drop down list If you wish to re use the current certificate key select Current from the RSA Key Size drop down list v Fill in remaining certificate arguments Refer to Comments on Certificate Fields on page 8 10 vi Click on Apply Changes to create the certificate request A new web browser page appears consisting of two text boxes The switchuses the ...

Page 283: ...aMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0 aMcXgVruVixw xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH BAIwADANBgkqhkiG9w0B Certificate Request Certificate Request Reply Figure 8 7 Request for Verified Host Certificate Web Browser Interface Screen 3 Enabling SSL on the Switch and Anticipating S...

Page 284: ...tificate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequivocally As long as you are confident that an unauthorized device is not using the switch s IP address in an attempt to gain access to your data or network you can accept the connection Not e When an SSL client connects to the switch for the first time it is possi...

Page 285: ...Generating the Switch s Server Host Certificate on page 8 8 2 Execute the web management ssl command To disable SSL on the switch do either of the following Execute no web management ssl Zeroize the switch s host certificate or certificate key page 8 9 Using the Web Browser Interface to Enable SSL To enable SSL on the switch i Proceed to the Security tab then the SSL button ii Select SSL Enable to...

Page 286: ...orts on the switches are 49 80 1506 and 1513 C a u t i o n SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides youmaywanttodisableTelnetaccess notelnet IfyouneedtoincreaseSNMP security use SNMP version 3 only for SNMP access A...

Page 287: ...ser interface You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the Web browser interface on page 8 12 You may be using a reserved TCP port Refer to Note on Port Number on page 8 20 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior on page 8 17 Your browser may no...

Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...

Page 289: ...IUS assigned Port ACL Applications 9 15 Multiple ACLs on an Interface 9 16 Features Common to All ACL Applications 9 16 General Steps for Planning and Configuring ACLs 9 18 IPv4 Static ACL Operation 9 20 Introduction 9 20 The Packet filtering Process 9 20 Planning an ACL Application 9 24 IPv4 Traffic Management and Improved Network Performance 9 24 Security 9 25 Guidelines for Planning the Structu...

Page 290: ...s Configuration 9 41 Using the CLI To Create an ACL 9 42 General ACE Rules 9 42 Using CIDR Notation To Enter the IPv4 ACL Mask 9 43 Configuring Standard ACLs 9 44 Configuring Named Standard ACLs 9 46 Creating Numbered Standard ACLs 9 49 Configuring Extended ACLs 9 53 Configuring Named Extended ACLs 9 55 Configuring Numbered Extended ACLs 9 65 Adding or Removing an ACL Assignment On an Interface 9 ...

Page 291: ...c ACL 9 89 Display All ACLs and Their Assignments in the Routing Switch Startup Config File and Running Config File 9 91 Monitoring Static ACL Performance 9 92 Creating or Editing ACLs Offline 9 94 Creating or Editing an ACL Offline 9 94 The Offline Process 9 94 Enable ACL Deny Logging 9 96 Requirements for Using ACL Logging 9 96 ACL Logging Operation 9 97 Enabling ACL Logging on the Switch 9 98 G...

Page 292: ...ndard ACLs None 9 44 Extended ACLs None 9 53 Enable or Disable an ACL n a 9 73 Display ACL Data n a 9 85 Delete an ACL n a 9 74 Configure an ACL from a TFTP Server n a 9 94 Enable ACL Logging n a 9 98 IPv4 filtering with ACLs can help improve network performance and restrict network use by creating policies for Switch Management Access Permits or denies in band manage ment access This includes lim...

Page 293: ... security program However because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IPv4 packet transmissions they should not be relied upon for a complete security solution IPv4 ACLs on the switches covered by this manual do not filter non IPv4 traffic such as IPv6 AppleTalk and IPX packets 9 5 ...

Page 294: ...n port when the server authenticates a specific client on that port When the server authenticates a client associated with that ACL the ACL is assigned to the port the client is using The ACL then filters the IP traffic received inbound on that port from the authenticated client When the client session ends the ACL is removed from the port The switch allows as many dynamic port ACLs on a port as i...

Page 295: ...g ip access list resequence name str 1 99 1 2147483647 9 80 in a Standard ACL 1 2147483646 Enter or Remove a ProCurve config ip access list standard name str 1 99 9 81 Remark from a ProCurve config ext nacl remark remark str no 1 2147483647 remark 9 83 Standard ACL For numbered standard ACLs only the following remark commands can be substituted for the above ProCurve config access list 1 99 remark...

Page 296: ...og 2 Create an Extended ProCurve config access list 100 199 deny permit Numbered ACL ip options tcp udp options igmp options icmp options or precedence priority Add an ACE to the End tos tos setting of an Existing log 2 Numbered ACL Note Uses the same IP TCP UDP IGMP and ICMP options as shown above for Create an Extended Named ACL Insert an ACE by ProCurve config ip access list extended name str 1...

Page 297: ...ended ProCurve config no ip access list extended name str 100 199 9 74 ACL For numbered extended ACLs only the following command can also be used ProCurve config no access list 100 199 Table 9 3 Command Summary for Enabling Disabling and Displaying ACLs Enable or Disable a ProCurve config no interface port list Trkx access group identifier in Static Port ACL ProCurve eth port list Trkx no ip acces...

Page 298: ...nfigured Access Control Entries ACEs and terminating with an implicit deny ACE ACL types include standard and extended See also Standard ACL and Extended ACL To filter IPv4 traffic apply either type Static Port ACL an ACL assigned to filter inbound traffic on a specific switch port Dynamic Port ACL dynamic ACL assigned to a port by a RADIUS server to filter inbound traffic from an authenticated cl...

Page 299: ...rt See also Implicit Deny Extended ACL This type of IPv4 Access Control List uses layer 3 IP criteria composed of source and destination addresses and optionally TCP UDP port ICMP IGMP precedence or ToS criteria to determine whether there is a match with an IP packet Except for RADIUS assigned ACLs which use client credentials for identifiers extended ACLs require an alphanu meric name or an ident...

Page 300: ...1 99 command Refer to Creating or Adding to an Standard Numbered ACL on page 9 50 After a numbered ACL has been created the switch manages it in the same way as a named ACL meaning that it can be applied and edited in the same way as a named ACL Permit An ACE configured with this action allows the switch to forward a packet for which there is a match within an applicable ACL Permit Any Forwarding ...

Page 301: ...s control list uses the layer 3 IP criteria of source IPv4 address to determine whether there is a match with an IPv4 packet Except for RADIUS assigned ACLs standard ACLs require an alphanumeric name or an identification number ID in the range of 1 99 See also identifier on page 9 11 Static Port ACL An ACL statically configured on a specific port group of ports or trunk A static port ACL filters a...

Page 302: ...You can specify a single host a finite group of hosts or any host Extended ACL Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient traffic selection criteria needed on an interface Extended ACLs allow use of the following criteria source and destination IPv4 address combinations IP protocol options Extended named ACLs also offer an option to permit or den...

Page 303: ...om client A is filtered Effect of Dynamic Port ACLs When Multiple Clients Are Using the Same Port Some network configurations may allow multiple clients to authenticate through a single port where a RADIUS server assigns a separate dynamic port ACL in response to each client s authentication on that port In such cases a given client s inbound traffic will be allowed only if the RADIUS authenticati...

Page 304: ...amic port ACL only the first client to authen ticate can use the port Traffic from other clients will be dropped Multiple ACLs on an Interface Multiple ACL Assignments Allowed The switch allows multiple ACL applications on an interface subject to internal resource availability This means that a port can simultaneously be subject to the following One static port ACL for any IPv4 traffic entering th...

Page 305: ...the Implicit Deny is deny any For extended ACLs it is deny ip any any In any ACL you can apply an ACL log function to ACEs that have an explicit deny action The logging occurs when there is a match on a deny ACE except when the ACL is usedfor mirroring The switch sends ACL logging output to Syslog if configured and optionally to a console session You can create ACLs for the switch configuration us...

Page 306: ...umentation for your RADIUS server 2 Identify the traffic types to filter The SA and or the DA of traffic you want to permit or deny This can be a single host a group of hosts a subnet or all hosts Traffic of a specific IPv4 protocol type 0 255 Any TCP traffic only for a specific TCP port or range of ports including optional control of connection traffic based on whether the initial request should ...

Page 307: ...ting is enabled by default on the switch and can be used to override ACLs For this reason if you are using ACLs to enhance network security the recommended action is to use the no ip source route command to disable source routing on the switch If source routing is disabled in the running config file the show running command includes no ip source route in the running config file listing 9 19 ...

Page 308: ...configured on the switch For information on dynamic port ACLs assigned by a RADIUS server refer to chapter 6 Configuring RADIUS Server Support for Switch Services Note Afteryou assignanIPv4 ACL to an interface thedefaultaction on theinterface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL This applies only in the direction of traffic flow filtered by the ACL The P...

Page 309: ...any to 18 28 156 3 Deny in tcp from any to any 23 Permit in ip from any to any Deny in ip from any to any This line demonstrates the deny any any ACE implicit in every RADIUS assigned ACL Any inbound IPv4 traffic from the authenticated client that does not have a match with any of the five explicit ACEs in this ACL will be denied by the implicit deny any any Figure 9 2 Example of Sequential Compar...

Page 310: ... match is not found with any explicit ACE in the ACL the switch invokes the Implicit Deny at the end of every ACL and drops the packet Note If the list includes an ACEconfiguredwithPermit Anyforwarding nopackets canreachtheImplicitDeny at the end of the list Also placing an ACE with Permit Anyforwardingatanypoint in an ACL defeats the purpose of any subsequent ACEs in the list Figure 9 3 The Packe...

Page 311: ...t trafficfrom source address 10 11 11 101 Packets 5 This entry does not appear in an actual ACL but is implicit as matching this criterion are dropped and are not compared to the last entry in every ACL Any IPv4 packets that do not match later criteria in the list Packets not matching this criterion are any of the criteria in the ACL s preceding entries will be denied compared to the next entry in...

Page 312: ...4 Traffic Management and Improved Network Performance You can use ACLs to block traffic from individual hosts workgroups or subnets and to block access to VLANs subnets devices and services Traffic criteria for ACLs include Switched and or routed traffic Any traffic of a specific IPv4 protocol type 0 255 Any TCP traffic only for a specific TCP port or range of ports including optional control of c...

Page 313: ...licitly block by taking advantage of the implicit deny ip any to deny traffic that you have not explicitly permitted This can reduce the number of entries needed in an ACL What traffic should you permit In some cases you will need to explicitly identify permitted traffic In other cases depending on your policies you can insert an ACE with permit any forwarding at the end of an ACL This means that ...

Page 314: ...ation on ACL applications refer to ACL Applications on page 9 14 The sequence of ACEs is significant When the switch uses an ACL to determine whether to permit or deny an ip packet it compares the packet to the criteria specified in the individual Access Control Entries ACEs in the ACL beginning with the first ACE in the list and proceeding sequentially until a match is found When a match is found...

Page 315: ...maximum number of ACEs supported by the switch is up to 1024 for IPv4 ACEs The maximum number of ACEs allowed on a port depends on the concurrent resource usage by multiple configured features For more information use the show qos access list resources command and or refer to Monitoring Shared Resources on page 9 100 Implicit Deny In any static IPv4 ACL the switch automatically applies an implicit...

Page 316: ... is configured with an ACL the ACL must be removed before the port is added to the trunk Also removing a port from an ACL configured trunk removes the ACL configuration from that port How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to IPv4 traffic each ACE in the ACL uses an IPv4 address and ACL mask to enforce a selection policy on the packets being screened Th...

Page 317: ...s and corresponding mask in the ACE to an IPv4 address carried in a packet A mask bit setting of 0 off requires that the corresponding bits in the packet s address and in the ACE s address must be the same Thus if a bit in the ACE s address is set to 1 on the same bit in the packet s address must also be 1 A mask bit setting of 1 on means the corresponding bits in the packet s address and in the A...

Page 318: ...possible and using multiple ACEs carefully ordered to eliminate unwanted matches Every IPv4 address and mask pair source or destination used in an ACE creates one of the following policies Any IPv4 address fits the matching criteria In this case the switch automatically enters the address and mask in the ACE For example access list 1 deny any produces this policy in an ACL listing Address Mask 0 0...

Page 319: ... of the corresponding SA in the ACE is 31 the rightmost five bits In this case a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31 Refer to table 9 1 below Table 9 1 Example of How the Mask Defines a Match Location of Octet Bit Position in the Octet 128 64 32 16 8 4 2 1 SA in ACE Mask for SA Corresponding Octet of a Packet s SA 0 0 0 0 0 0...

Page 320: ... the ACE ACE Figure 9 5 Example of an ACL with an Access Control Entry ACE that Allows Only One Source Address Examples Allowing Multiple IPv4 Addresses Table 9 2 provides exam ples of how to apply masks to meet various filtering requirements Table 9 2 Example of Using an IPv4 Address and Mask in an Access Control Entry Address in the ACE Mask Policy for a Match Between a Packet and the ACE Allowe...

Page 321: ... in the ACE and the IPv4 address in a packet then the packet is either permitted or denied according to how the ACE is configured If there is not a match the next ACE in the ACL is then applied to the packet The same operation applies to a destination IPv4 address DA used in an extended ACE Where an ACE includes both source and destination addresses there is one address ACL mask pair for the sourc...

Page 322: ...L 9 53 Enabling or Disabling ACL Filtering 9 73 Overview General Steps for Implementing ACLs 1 Configure one or more ACLs This creates and stores the ACL s in the switch configuration 2 Assign an ACL IPv4 source routing is enabled by default on the switch and can be used to override ACLs For this reason if you are using ACLs to enhance network security the recommended action is to disable source r...

Page 323: ...on whether the initial request should be allowed Any UDP traffic only or UDP traffic for a specific UDP port Any ICMP traffic only or ICMP traffic of a specific type and code Any IGMP traffic only or IGMP traffic of a specific type Any of the above with specific precedence and or ToS settings For an extended ACL ID use either a unique number in the range of 100 199 or a unique name string of up to...

Page 324: ... usage by configured ACL QoS IDM Mirroring and other features Refer to Monitoring Shared Resources on page 9 100 4 Implicit Deny Where an ACL is in use it denies any packets that do not have a match with the ACEs explicitly configured in the list The Implicit Deny does not appear in ACL configuration listings but always functions when the switch uses an ACL to filter packets You cannot delete the ...

Page 325: ... 0 0 0 0 log 20 permit 10 28 150 1 0 0 0 255 exit ACE Action permit or deny End of List Marker Source Address Mask Optional Logging Command Figure 9 7 Example of a Displayed Standard ACL Configuration with Two ACEs Extended ACL Configuration Structure Individual ACEs in an extended ACL include A permit deny statement Source and destination IPv4 addressing Choice of IPv4 criteria including optional...

Page 326: ...desti acl mask operator port id log established Note The optional log function is available only for deny ACEs permit deny udp SA src acl mask operator port id DA dest acl mask operator port id log permit deny icmp SA src acl mask DA dest acl mask icmp type log permit deny igmp SA SA mask DA dest acl mask igmp type log precedence priority tos tos setting Implicit Deny exit Figure 9 8 Example of Ge...

Page 327: ...ource Protocol Types End of List Marker Source Addresses and Masks Upper entry denies certain UDP packets from a single host Lowerentrydeniesall UDP packets fromallhosts Optional Destination UDPorTCPOperator and Range of Port Numbers In this case the ACL specifies UDP port numbers 3680 3690 Destination Address and Mask ACE Action permit or deny ACL List Heading with List Type and ID String Name or...

Page 328: ...ts received from 10 28 235 10 As a result IPv4 traffic from that device will not be allowed and packets from that device will not be compared against any later entries in the list 20 A packet from SA 10 28 245 89 will be denied dropped This ACE filters out all packets received from 10 28 245 89 As the result IPv4 traffic from that device will not be allowed and packets from that device will not be...

Page 329: ...the explicit entries you create will be denied by the Implicit Deny action If you want to preempt the Implicit Deny so that IPv4 traffic not specifically addressed by earlier ACEs in a given ACL will be permitted insert an explicit permit any for standard ACLs or permit ip any any for extended ACLs as the last explicit ACE in the ACL A Configured ACL Has No Effect Until You Apply It to an Interfac...

Page 330: ...the sequence number For example if you wanted to add a permit ACL at the end of a list named List 1 to allow traffic from the device at 10 10 10 100 ProCurve config ip access list standard List 1 ProCurve config std nacl permit host 10 10 10 100 Insert an ACE anywhere in a named ACL by specifying a sequence number For example if you wanted to insert a new ACE as line 15 between lines 10 and 20 in ...

Page 331: ...d in the same ACL Attempting to enter a duplicate ACE displays the Duplicate access control entry message Using CIDR Notation To Enter the IPv4 ACL Mask You can use CIDR Classless Inter Domain Routing notation to enter ACL masks The switch interprets the bits specified with CIDR notation as the address bits in an ACL and the corresponding address bits in a packet that must match The switch then co...

Page 332: ...CE from an ACL ProCurve config ip access list standard name str 1 99 ProCurve config std nacl no 1 2147483647 9 79 Resequence the ACEs in an ACL ProCurve config ip access list resequence name str 1 99 1 2147483647 1 2147483646 9 80 Enter or Remove a Remark from an ACL ProCurve config ip access list standard name str 1 99 ProCurve config ext nacl remark remark str no 1 2147483647 remark 9 81 9 83 F...

Page 333: ...command syntax for creating a named ACL differs from the command syntax for creating a numbered ACL For example the first pair of entries below illustrate how to create or enter a named standard ACL and enter an ACE The next entry illustrates creating a numbered standard ACL with the same ACE ProCurve config ip access list standard Test List ProCurve config std nacl permit host 10 10 10 147 ProCur...

Page 334: ...s 9 76 including remarks in an ACL 9 81 displaying ACL configuration data 9 85 creating or editing ACLs offline 9 94 enabling ACL Deny logging 9 96 Entering the IPv4 Named ACL nacl Context This command is a prerequisite to entering or editing ACEs in a named ACL Syntax ip access list standard name str Places the CLI in the Named ACL nacl context specified by the name str alphanumeric identifier Th...

Page 335: ...or permits a packet matching the criteria in the ACE as described below any host SA SA mask SA mask length Defines the source IPv4 address SA a packet must carry for a match with the ACE any Allows IPv4 packets from any SA host SA Specifies only packets having SA as the source Use this criterion when you want to match the IPv4 packets from a single source address SA mask or SA mask length Specifie...

Page 336: ...llustrates how to create a standard named ACL with several ACEs This example creates an ACL that 1 permits IPv4 traffic from a host with the address of 10 10 10 104 2 creates another ACE that blocks all other IPv4 traffic from the same subnet 3 allows all other IPv4 traffic ProCurve config ip access list standard Sample List Creates the Sample List ProCurve config std nacl permit host 10 10 10 104...

Page 337: ...g general steps to create or add to an numbered standard ACL 1 Create a numbered standard ACL by entering the first ACE in the list 2 Append a new ACE to the end of an existing standard ACL This section describes the commands for performing these steps For other IPv4 ACL topics refer to the following Topic Page configuring named standard ACLs 9 46 configuring named extended ACLs 9 55 configuring n...

Page 338: ...e renumbered using resequence page 9 80 Note To insert a new ACE between two existing ACEs in a standard numbered ACL a Use ip access list extended 1 99 to open the ACL as a named ACL b Enter the desired sequence number along with the ACE keywords and variables you want After a numbered ACL has been created it can be managed as either a named or numbered ACL Refer to the Numbered ACLs list item on...

Page 339: ...IPv4 addresses The mask format can be in either dotted decimal format or CIDR format number of significant bits Refer to Using CIDR Notation To Enter the IPv4 ACL Mask on page 9 43 SA Mask Application The mask is applied to the SA in the ACE to define which bits in a packet s SA must exactly match the SA configured in the ACL and which bits need not match Example 10 10 10 1 24 and 10 10 10 1 0 0 0...

Page 340: ... access list 17 deny 10 10 10 1 24 log ProCurve config access list 17 permit any ProCurve config show access list 17 Access Control Lists Name 17 Type Standard Applied No SEQ Entry 10 Action permit Note that each ACE is IP 10 10 10 104 Mask 0 0 0 0 automatically assigned a sequence number 20 Action deny log IP 10 10 10 1 Mask 0 0 0 255 30 Action permit IP 0 0 0 0 Mask 255 255 255 255 Figure 9 13 S...

Page 341: ...tended ProCurve config access list 100 199 deny permit Numbered ACL ip options tcp udp options igmp options icmp options or log 2 Add an ACE to the End precedence priority of an Existing tos tos setting Numbered ACL Note Uses the same IP TCP UDP IGMP and ICMP options as shown above for Create an Extended Named ACL Insert an ACE by ProCurve config ip access list extended name str 100 199 Assigninga...

Page 342: ...nded ACLs enable filtering on the following Source and destination IPv4 addresses required in one of the following options specific host subnet or group of addresses any address choice of any IPv4 protocol optional packet type criteria for IGMP and ICMP traffic optional source and or destination TCP or UDP port with a further option for comparison operators and for TCP an option for estab lishing ...

Page 343: ...extended ACL 2 Enter the first ACE in a new extended ACL or append an ACE to the end of an existing extended ACL This section describes the commands for performing these steps For other ACL topics refer to the following Topic Page configuring named standard ACLs 9 46 configuring numbered standard ACLs 9 49 configuring numbered extended ACLs 9 65 applying or removing an ACL on an interface 9 73 del...

Page 344: ...ifier This enables entry of individual ACEs in the specified ACL If the ACL does not already exist this command creates it name str Specifies an alphanumeric identifier for the ACL Consists of an alphanumeric string of up to 64 case sensitive characters Including spaces in the string requires that you enclose the string in single or double quotes For example Accounting ACL You can also use this co...

Page 345: ...utive sequence numbers in increments of 10 and can be renumbered using resequence page 9 80 Note To insert a new ACE between two existing ACEs in an extended named ACL precede deny or permit with an appro priate sequence number along with the ACE keywords and variables you want Refer to Inserting an ACE in an Exist ing ACL on page 9 77 For a match to occur a packet must have the source and destina...

Page 346: ...ded ACE It follows the protocol specifier and defines the source address SA a packet must carry for a match with the ACE any Allows IPv4 packets from any SA host SA Specifies only packets having a single address as the SA Use this criterion when you want to match only the IPv4 packets from a single SA SA mask or SA mask length Specifies packets received from an SA where the SA is either a subnet o...

Page 347: ...e in either dotted decimal format or CIDR format number of significant bits Refer to Using CIDR Notation To Enter the IPv4 ACL Mask on page 9 43 DA Mask Application The mask is applied to the DA in the ACL to define which bits in a packet s DA must exactly match the DA configured in the ACL and which bits need not match See also the above example and note precedence 0 7 precedence name This option...

Page 348: ...n the case of 0 2 4 and 8 as alphanumeric names 0 or normal 2 max reliability 4 max throughput 6 8 minimize delay 10 12 14 Note The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE log This option can be used after the DA to generate an Event Log message if The action is deny Not applicable to permit There is a match ACL logging is enabled Refer...

Page 349: ...t 10 10 10 100 host 10 20 10 17 eq telnet deny udp 10 30 10 1 24 host 10 20 10 17 range 161 162 comparison operator tcp udp src port To specify a TCP or UDP source port number in an ACE 1 select a comparison operator from the following list and 2 enter the port number or a well known port name Comparison Operators eq tcp udp port nbr Equal To to have a match with the ACE entry the TCP or UDP sourc...

Page 350: ...ter the port number or a well known port name Comparison Operators and Well Known Port Names These are the same as are used with the TCP UDP source port options and are listed earlier in this command description established This option applies only where TCP is the configured protocol type It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN w...

Page 351: ...icmp as the packet protocol type see above you can optionally specify an individual ICMP packet type or packet type code pair to further define the criteria for a match This option if used is entered immediately after the destination address DA entry The following example shows two ACEs entered in a Named ACL context permit icmp any any host unknown permit icmp any any 3 7 icmp type icmp code This...

Page 352: ...prohibited option missing echo packet too big echo reply parameter problem general parameter problem port unreachable host isolated precedence unreachable host precedence unreachable protocol unreachable host redirect reassembly timeout host tos redirect redirect host tos unreachable router advertisement host unknown router solicitation host unreachable source quench information reply source route...

Page 353: ...urther define the criteria for a match This option if used is entered immediately after the destination addressing entry The following example shows an IGMP ACE entered in the Named ACL context ProCurve config ext nacl permit igmp any any host query igmp type The complete list of IGMP packet type options includes dvmrp trace mtrace request host query v2 host report v3 host report host report v2 ho...

Page 354: ...g remarks in an ACL 9 81 displaying ACL configuration data 9 85 creating or editing ACLs offline 9 94 enabling ACL Deny logging 9 96 Creating or Adding to an Extended Numbered ACL This command is an alternative to using ip access list extended name str and does not use the Named ACL nacl context For an extended ACL syntax summary refer to table 9 7 on page 9 53 Syntax access list 100 199 deny perm...

Page 355: ...d 100 199 to open the ACL as a named ACL b Enter the desired sequence number along with the ACE statement you want Refer to the Numbered ACLs list item on page 9 42 For a match to occur a packet must have the source and destination addressing criteria specified in the ACE as well as the protocol specific criteria configured in the ACE including any included optional elements described later in thi...

Page 356: ...ent Services at www iana com Range 0 255 For TCP UDP ICMP and IGMP additional criteria can be specified as described later in this section any host SA SA mask length SA mask In an extended ACL this parameter defines the source address SA that a packet must carry in order to have a match with the ACE any Specifies all inbound IPv4 packets host SA Specifies only inbound IPv4 packets from a single ad...

Page 357: ...bed earlier and defines the destination address DA that a packet must carry in order to have a match with the ACE The options are the same as shown for SA any Allows routed IPv4 packets to any DA host DA Specifies only the packets having DA as the destination address Use this criterion when you want to match only the IPv4 packets for a single DA DA mask length or DA mask Specifies packets intended...

Page 358: ...ction criteria config ured in the same ACE tos This option can be used after the DA to cause the ACE to match packets with the specified Type of Service ToS set ting ToS values can be entered as the following numeric settings or in the case of 0 2 4 and 8 as alphanumeric names 0 or normal 2 max reliability 4 max throughput 6 8 minimize delay 10 12 14 Note The ToS criteria in this section are appli...

Page 359: ...denying all types of ICMP traffic That is an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE As an optional alterna tive the ACE can include the name of an ICMP packet type For a summary of the extended ACL syntax options refer to table 9 ...

Page 360: ...ts ACLs Configuring Extended ACLs Syntax access list 100 199 deny permit igmp src ip dest ip igmp type The IGMP type criteria is identical to the criteria described for IGMP in named extended ACLs beginning on page 9 65 9 72 ...

Page 361: ...her a ACL name or an ACL ID number Assigns an ACL as a static port ACL to a port port list or static trunk to filter any IPv4 traffic entering the switch on that interface You can use either the global configuration level or the interface context level to assign or remove a static port ACL Note The switch allows you to assign a nonexistent ACL name or number to an interface In this case if you sub...

Page 362: ...rt ACL Enables a static port ACL from the Global Configuration level Figure 9 15 Methods for Enabling and Disabling ACLs Deleting an ACL Syntax no ip access list standard name str 1 99 no ip access list extended name str 100 199 no access list 1 99 100 199 Removes the specified ACL from the switch s running config file Note Deleting an ACL does not delete any assignment of that ACL s identifier on...

Page 363: ...ifying a sequence number the switch inserts the ACE as the last entry in the ACL When you enter a new ACE in a named ACL and include a sequence number the switch inserts the ACE according to the position of the sequence number in the current list of ACEs Numbered ACLs When using the access list 1 99 100 199 command to create or add ACEs to a numbered ACL each new ACE you enter is added to the end ...

Page 364: ...bered in increments of 10 For example the following show run output lists three ACEs with default numbering in a list named My List ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 20 permit 10 20 10 117 0 0 0 0 30 deny 10 20 10 1 0 0 0 255 exit Figure 9 16 Example of the Default Sequential Numbering for ACEs You can add an ACE to the end of a named or numbered ACL by using either acc...

Page 365: ...n it as a named ACL and specify a nondefault sequence number as described in the next section Inserting an ACE in an Existing ACL This action uses a sequence number to specify where to insert a new ACE into an existing sequence of ACLs Syntax ip access list standard extended name str 1 99 100 199 1 2147483647 permit deny standard acl ip criteria log 1 2147483647 permit deny extended acl ip criteri...

Page 366: ...1 0 0 0 255 40 permit 0 0 0 0 255 255 255 255 exit Figure 9 19 Example of Inserting an ACE in an Existing ACL In the following example the first two ACEs entered become lines 10 and 20 in the list The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20 ProCurve config ip access list standard List 01 ProCurve config std nacl permit 10 10 10 1 24 Beco...

Page 367: ...In the Named ACL context type no and enter the sequence number of the ACE you want to delete Figure 9 21 illustrates the process for deleting an ACE from a list ProCurve config show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 15 deny 10 10 10 1 0 0 0 255 20 permit 10 20 10 117 0 0 0 0 30 deny 10 20 10 1 0 0 0 255 40 permit 0 0 0 0 255 255 255 255 exit ProCurve config ip acces...

Page 368: ... view the current sequence numbering in an ACE use show run or show access list name str 1 99 100 199 2 Use the command syntax above to change the sequence numbering This example resequences the My List ACL at the bottom of figure 9 21 so that the list begins with line 100 and uses a sequence interval of 100 ProCurve config show run ip access list standard My List 10 permit 10 10 10 25 0 0 0 0 15 ...

Page 369: ...is syntax applies to both named and numbered ACLs With out an optional sequence number the remark is appended to the end of the list and automatically assigned a sequence number When entered with an optional sequence number the remark is inserted in the list according to the numeric prece dence of the sequence number The no form of the command deletes the indicated remark but does not affect the r...

Page 370: ... using the Named ACL nacl context ProCurve config ip access list standard My List ProCurve config std nacl permit host 10 10 10 15 ProCurve config std nacl deny 10 10 10 1 24 ProCurve config std nacl remark HOST 10 20 10 34 The remark is assigned the same ProCurve config std nacl permit host 10 20 10 34 number that the immediately ProCurve config std nacl show run followingACE 30 inthisexample is ...

Page 371: ...0 20 deny 10 10 10 1 0 0 0 255 30 remark HOST 10 20 10 34 30 permit 10 20 10 34 0 0 0 0 exit Figure 9 24 Example of Inserting a Remark Inserting a Remark for an ACE that Already Exists in an ACL If a sequence number is already assigned to an ACE in a list you cannot insert a remark by assigning it to the same number To configure a remark with the same number as a given ACE the remark must be confi...

Page 372: ... will then be placed sequentially in the list according to the sequence number used Configuring two remarks without either sequence numbers or an intervening unnumbered ACE results in the second remark over writing the first ProCurve config ip access list standard Accounting ProCurve config std nacl permit host 10 10 10 115 ProCurve config std nacl deny 10 10 10 1 24 ProCurve config std nacl show ...

Page 373: ...tent information for a specific 9 89 IPv4 ACL Displays information on the resources currently available in the switch Refer to the appendix titled MonitoringResources inthelatestManagement and Configuration Guide for your switch Lists the RADIUS ACL s currently assigned for eitherallportsandtrunks orforthespecifiedports and or trunks For more on this topic refer to chapter6 ConfiguringRADIUSServer...

Page 374: ... Control Lists Type Appl Name std yes List 01 v4 IN ext no List 02 v4 OUT std yes 55 In this switch the ACL named List 02 v4 OUT exists in the configuration Figure 9 26 Example of show access list Command Figure 9 27 Example of a Summary Table of Access lists Term Meaning Type Shows whether the listed ACL is an IPv4 std AC or an IPv4 ext ACL Appl Shows whether the listed ACL has been applied to an...

Page 375: ...ionalsoappearsintheshowrunningdisplay Ifyouexecutedwrite memory after configuring an ACL it appears in the show config display For example with two ACLs configured in the switch you will see results similar to the following ProCurve config show access list config ip access list standard List 43 10 deny 10 28 236 77 0 0 0 0 20 deny 10 29 140 107 0 0 0 0 30 permit 0 0 0 0 255 255 255 255 exit ip acc...

Page 376: ...how running display If you execute write memory after configuring an ACL it appears in the show config display For example if you assigned a standard ACL with an ACL ID of Port 10 to filter inbound IP traffic on switch ports B10 B11 and trunk trk1 you could verify these assignments as shown in figure 9 29 ProCurve config show access list ports all Access Lists for Port B10 Inbound 15 Type Standard...

Page 377: ...onfigured the following two ACLs in the switch ACL ID Type Desired Action 1 Standard Deny IP traffic from 18 28 236 77 and 18 29 140 107 Permit IP traffic from all other sources 105 Extended Permit any TCP traffic from 18 30 133 27 to any destination Deny any other IP traffic from 18 30 133 1 255 Permit all other IP traffic from any source to any destination Inspect the ACLs as follows ProCurve co...

Page 378: ...igure 9 31 Examples of Listings Showing the Content of Standard and Extended ACLs Table 9 8 Descriptions of Data Types Included in Show Access List acl id Output Field Description Name The ACL identifier Can be a number from 1 to 199 or a name Type Standard or Extended The former uses only source IP addressing The latter uses both source and destination IP addressing and also allows TCP or UDP por...

Page 379: ...o Used only in extended ACLs to specify the packet protocol type to filter Must be either IP TCP or UDP For TCP protocol selections includes the established option if configured Port s Used only in extended ACLs to show any TCP or UDP operator and port number s included in the ACE TOS Used only in extended ACLs to indicate Type of Service setting if any Precedence Used only in extended ACLs to ind...

Page 380: ...s section describes the command for monitoring static ACL performance To monitor RADIUS assigned ACL performance use either of the following commands show access list radius all port list show port access authenticator mac based web based clients port list detailed Refer to Displaying the Current RADIUS Assigned ACL Activity on the Switch on page 6 26 Syntax show statistics aclv4 acl name str port...

Page 381: ...al of 37 matches on the ACE since the last time the ACL s counters were reset Total 37 10 permit icmp 10 10 20 3 Note This ACL monitoring feature does not include hits on the implicit deny that is included at the end of all ACLs Resetting ACE Hit Counters to Zero Removing an ACL from an interface zeros the ACL s ACE counters for that interface only For a given ACL either of the following actions c...

Page 382: ... described in this section Note Copy commands that used either tftp or xmodem also include an option to use usb as a source or destination device for file transfers So although the following example highlights tftp bear in mind that xmodem or usb can also be used to transfer ACLs to and from the switch Creating or Editing an ACL Offline The Offline Process 1 Begin by doing one of the following To ...

Page 383: ...laces it with a 10 remark THIS ACE ALLOWS TELNET new version with the same identity To append 20 deny ip 10 30 133 1 0 0 0 255 0 0 0 0 255 255 255 255 new ACEs to an existing ACL instead of replacing 30 deny ip 10 30 155 1 0 0 0 255 0 0 0 0 255 255 255 255 it youwouldomitthefirst 40 remark THIS IS THE FINAL ACE IN THE LIST line and ensure that the 40 permit ip 0 0 0 0 255 255 255 255 0 0 0 0 255 2...

Page 384: ...ds ACL messages to Syslog and optionally to the current console Telnet or SSH session You can use logging to configure up to six Syslog server destinations Requirements for Using ACL Logging The switch configuration must include an ACL 1 assigned to a port or trunk and 2 containing an ACE configured with the deny action and the log option For ACL logging to a Syslog server The server must be acces...

Page 385: ... summary of any additional deny matches for that ACE and any other deny ACEs for which the switch detected a match If no further log messages are generated in the wait period the switch suspends the timer and resets itself to send a message as soon as a new deny match occurs The data in the message includes the information illustrated in figure 9 33 Feb 1 10 04 45 10 10 20 1 ACL ACL 02 01 07 10 04...

Page 386: ...og to enable the logging for Syslog operation 3 Use the debug destination command to configure one or more log destina tions Destination options include logging and session For more informa tion on debug refer to Debug and Syslog Messaging Operation in appendix C Troubleshooting in the Management and Configuration Guide for your switch 4 Use debug acl or debug all to configure the debug operation ...

Page 387: ... groups However excessive logging can affect switch performance For this reason ProCurve recommends that you remove the logging option from ACEs for which you do not have a present need Also avoid configuring logging where it does not serve an immediate purpose Note that ACL logging is not designed to function as an accounting method See also Apparent Failure To Log All Deny Matches in the section...

Page 388: ...n an ACL to an interface and subsequently add or replace ACEs in that ACL each new ACE becomes active when you enter it If the ACL is configured on multiple interfaces when the change occurs then the switch resources must accom modate all applications of the ACL If there are insufficient resources to accommodate one of several ACL applications affected by the change then the change is not applied ...

Page 389: ...base 10 11 Operational Notes 10 12 Log Messages 10 13 Dynamic ARP Protection 10 15 Introduction 10 15 Enabling Dynamic ARP Protection 10 17 Configuring Trusted Ports 10 17 Adding an IP to MAC Binding to the DHCP Database 10 19 Configuring Additional Validation Checks on ARP Packets 10 20 Verifying the Configuration of Dynamic ARP Protection 10 20 Displaying ARP Packet Statistics 10 21 Monitoring D...

Page 390: ... repeated attacker access to the network and numer ous IP address requests Dynamic ARP protection Protects your network from ARP cache poisoning as in the following cases An unauthorized device forges an illegitimate ARP response and network devices use the response to update their ARP caches A denial of service DoS attack from unsolicited ARP responses changes the network gateway IP address so th...

Page 391: ...number of learned MAC addresses or a high number of MAC address moves from one port to another Attempts to exhaust available CPU resources indicated by an increased number of learned MAC address events being discarded DHCP Snooping Command Page dhcp snooping page 10 4 authorized server page 10 8 database page 10 11 option page 10 8 trust page 10 7 verify page 10 10 vlan page 10 6 show dhcp snoopin...

Page 392: ...s check a DHCP packet N A received on an untrusted port where the DHCP client hardware address field does not match the source MAC address in the packet Unless configured to not perform this check a DHCP packet N A containing DHCP relay information option 82 received from an untrusted port A broadcast packet that has a MAC address in the DHCP DHCPRELEASE binding database but the port in the DHCP b...

Page 393: ...d Default Yes vlan Enable DHCP snooping on a vlan DHCP snooping must be enabled already Default No To display the DHCP snooping configuration enter this command ProCurve config show dhcp snooping An example of the output is shown below ProCurve config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Enabled Vlans Verify MAC Yes Option 82 untrusted policy drop Option 82 Insertion Yes ...

Page 394: ... Snooping Statistics Enabling DHCP Snooping on VLANS DHCP snooping on VLANs is disabled by default To enable DHCP snooping on a VLAN or range of VLANs enter this command ProCurve config dhcp snooping vlan vlan id range You can also use this command in the vlan context in which case you cannot enter a range of VLANs for snooping Below is an example of DHCP snooping enabled on VLAN 4 ProCurve config...

Page 395: ...oCurve config dhcp snooping trust B1 B2 ProCurve config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Enabled Vlans 4 Verify MAC Yes Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id mac Store lease database Not configured Port Trust B1 Yes B2 Yes B3 No Figure 10 4 Example of Setting Trusted Ports DHCP server packets are forwarded only if received on a tr...

Page 396: ...bled Vlans 4 Verify MAC No Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id subnet ip Authorized Servers 111 222 3 4 10 0 0 11 Figure 10 5 Example of Authorized Servers for DHCP Snooping Using DHCP Snooping with Option 82 DHCP adds Option 82 relay information option to DHCP request packets received on untrusted ports by default See the preceding section Config uring DHCP...

Page 397: ... relay information option mac The switch mac address is used for the remote id This is the default subnet ip The IP address of the VLAN the packet was received on is used for the remote id If subnet ip is specified but the value is not set the MAC address is used mgmt ip The management VLAN IP address is used as the remote id If mgmt ip is specified but the value is not set the MAC address is used...

Page 398: ...roCurve config dhcp snooping option 82 remote id subnet ip ProCurve config show dhcp snooping DHCP Snooping Information DHCP Snooping Yes Enabled Vlans 4 Verify MAC Yes Option 82 untrusted policy drop Option 82 Insertion Yes Option 82 remote id subnet ip Figure 10 6 Example of DHCP Snooping Option 82 using the VLAN IP Address Disabling the MAC Address Check DHCP snooping drops DHCP packets receive...

Page 399: ...address Lease time The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted If the switch is rebooted it will read its binding database from the specified location To configure this location use this command Syntax no dhcp snooping database file tftp ip address ascii string delay 15 86400 timeout 0 86400 file Must be in Uniform Resourc...

Page 400: ...kets until the lease database is read This only occurs when the switch reboots and is completed quickly If the switch is unable to read the lease database from the tftp server it waits until that operation times out and then begins forwarding DHCP packets Enabling Debug Logging To enable debug logging for DHCP snooping use this command Syntax no debug dhcp snooping agent event packet agent Display...

Page 401: ...ion address is out a port configured as untrusted Ceasing untrusted port destination logs for s More that one client unicastpacketwithanuntrustedportdestinationwasdropped Toavoidfilling the log file with repeated attempts untrusted port destination attempts will not be logged for the specified duration Unauthorized server ip address detected on port port number Indicates that an unauthorized DHCP ...

Page 402: ...peated attempts client address mismatch events will not be logged for the specified duration Attempt to release address ip address leased to port port number detected on port port number dropped Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to Ceasing bad release logs for s More t...

Page 403: ...end his own IP to MAC address binding in the reply that causes all traffic destined for a VLAN node to be sent to the attacker s MAC address As a result the attacker can intercept traffic for other hosts in a classic man in the middle attack The attacker gains access to any traffic sent to the poisoned address and can capture passwords e mail and VoIP calls or even modify traffic before resending ...

Page 404: ...to add static IP to MAC address bindings to the DHCP snooping database so that ARP packets from devices that have been assigned static IP addresses are also verified Supports additional checks to verify source MAC address destination MAC address and IP address ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match the addresses in the Ethernet header are dro...

Page 405: ... validation By default all ports on a switch are untrusted If a VLAN interface is untrusted The switch intercepts all ARP requests and responses on the port Each intercepted packet is checked to see if its IP to MAC binding is valid If a binding is invalid the switch drops the packet You must configure trusted ports carefully For example in the topology in Figure 10 9 Switch B may not see the leas...

Page 406: ...r 2 domain Because ARP packets do not cross Layer 2 domains the unprotected switches cannot unknowingly accept ARP packets from an attacker and forward them to protected switches through trusted ports To configure one or more Ethernet interfaces that handle VLAN traffic as trusted ports enter the arp protect trust command at the global configuration level The switch does not check ARP requests and...

Page 407: ...rotection To add the static configuration of an IP to MAC binding for a port to the database enter the ip source binding command at the global configuration level Syntax no ip source binding mac address vlan vlan id ip address interface port number mac address Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database vlan vlan id Specifies a VLAN...

Page 408: ... destination MAC address in the Ethernet header does not mach the target MAC address in the body of the ARP packet ip Optional Drops any ARP packet in which the sender IP address is invalid Drops any ARP response packet in which the target IP address is invalid Invalid IP addresses include 0 0 0 0 255 255 255 255 all IP multicast addresses and all Class E IP addresses You can configure one or more...

Page 409: ...s dropped ARP packets MAC validation failure and IP validation failures enter the show arp protect statistics command ProCurve config show arp protect statistics Status and Counters ARP Protection Counters for VLAN 1 Forwarded pkts 10 Bad source mac 2 Bad bindings 1 Bad destination mac 1 Malformed pkts 0 Bad IP address 0 Status and Counters ARP Protection Counters for VLAN 2 Forwarded pkts 1 Bad s...

Page 410: ... The switch is allowing invalid ARP packets that should be dropped ProCurve config debug arp protect 1 ARP request is valid DARPP Allow ARP request 000000 000001 10 0 0 1 for 10 0 0 2 port A1 vlan 2 ARP request detected with an invalid binding DARPP Deny ARP request 000000 000003 10 0 0 1 port A1 vlan 1 3 ARP response with a valid binding DARPP Allow ARP reply 000000 000002 10 0 0 2 port A2 vlan 1...

Page 411: ...system resource usage resulting in insufficient resources for legitimate traffic login failures min The count of failed CLI login attempts or SNMP management authentication failures This indicates an attempt has been made to manage the switch with an invalid login or password Also it might indicate a network management station has not been configured with the correctSNMP authentication param eters...

Page 412: ...og file with redundant information The following is an example of alerts that occur when the device is continually subject to the same attack too many MAC addresses in this instance W 01 01 90 00 05 00 inst mon Limit for MAC addr count 300 is exceeded 321 W 01 01 90 00 10 00 inst mon Limit for MAC addr count 300 is exceeded 323 W 01 01 90 00 15 00 inst mon Limit for MAC addr count 300 is exceeded ...

Page 413: ...ts per minute discarded to help free CPU resources when busy Default threshold setting when enabled 100 med login failures The count of failed CLI login attempts or SNMP management authen tication failures per hour Default threshold setting when enabled 10 med mac address count The number of MAC addresses learned in the forwarding table You must enter a specific value in order to enable this featu...

Page 414: ...he system delay parameter ProCurve config no instrumentation monitor system delay To adjust the alert threshold for the MAC address count to the low value ProCurve config instrumentation monitor mac address count low To adjust the alert threshold for the MAC address count to a specific value ProCurve config instrumentation monitor mac address count 767 To enable monitoring of learn discards with t...

Page 415: ... med system resource usage 50 med system delay 5 high mac moves min 100 med learn discards min 100 med ip port scans min 10 med arp requests min 100 low login failures min 10 med port auth failures min 10 med SNMP trap generation for alerts enabled Instrumentation monitoring log enabled Figure 10 15 Viewing the Instrumentation Monitor Configuration An alternate method of determining the current In...

Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...

Page 417: ...1 6 Defining and Configuring Named Source Port Filters 11 7 Viewing a Named Source Port Filter 11 9 Using Named Source Port Filters 11 9 Static Multicast Filters 11 15 Protocol Filters 11 16 Configuring Traffic Security Filters 11 17 Configuring a Source Port Traffic Filter 11 18 Example of Creating a Source Port Filter 11 19 Configuring a Filter on a Port Trunk 11 19 Editing a Source Port Filter ...

Page 418: ...ies 3400cl Yes No No Series 2910al Yes Yes Yes Series 2800 Yes No No Series 2500 Yes Yes Yes Switch 4000m and 8000m Yes Yes Yes This chapter describes Traffic Security filters on the switches covered in this guide For information on filters for other switches in the above table refer to the documentation provided for those switches Introduction Feature Default Menu CLI Web configure source port fi...

Page 419: ...gle source or destination for source port filtering If you configure a port for filtering before adding it to a port trunk the portretains the filter configuration butsuspends the filtering action while a member of the trunk If you want a trunk to perform filtering first configure the trunk then configure the trunk for filtering Refer to Config uring a Filter on a Port Trunk on page 11 19 Filter T...

Page 420: ...plication Operating Rules for Source Port Filters You can configure one source port filter for each physical port and port trunk on the switch Refer to the filter command on page 11 18 You can include all destination ports and trunks in the switch on a single source port filter Each source port filter includes One source port or port trunk trk1 trk2 trkn A set of destination ports and or port trun...

Page 421: ...IP addresses configured on a VLAN and routing enabled on the switch a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN In this case you can prevent the traffic of one subnet from being routed to another subnet of the same port by configuring the port or trunk as both the source and destination for traffic to drop Example If you wanted ...

Page 422: ... port trunk can only have one source port filter but by using this capability you can define a source port filter once and apply it to multiple ports and port trunks This can make it easier to configure and manage source port filters on your switch The commands to define configure apply and display the status of named source port filters are described below Operating Rules for Named Source Port Fi...

Page 423: ...d source port filters that can be used is equal to the number of ports on a switch A named source port filter can only be removed if it is not in use use the show filter source port command to check the status Named source port filters are not automatically deleted when they are no longer used Use the no option to delete an unused named source port filter Syntax filter source port named filter fil...

Page 424: ...lter must first be defined and configured before it can be applied In the following example two named source port filters are defined web only and accounting ProCurve config filter source port named filter web only ProCurve config filter source port named filter accounting By default these two named source port filters forward traffic to all ports and port trunks To configure a named source port f...

Page 425: ...ed source port filter has been defined but not configured this field is blank index For the supplied index IDX displays the action taken Drop or Forward for each destination port on the switch Using Named Source Port Filters A company wants to manage traffic to the Internet and its accounting server on a 26 port switch Their network is pictured in Figure 11 4 Switch port 1 connects to a router tha...

Page 426: ... Security Filters Port List Action Filter Name Lists the ports and port trunks web only NOT USED drop 2 26 dropped by the accounting NOT USED drop 1 6 8 9 12 26 filter Ports and port trunks not no incoming web NOT USED drop 7 10 11 shown are forwardedbythe ProCurve Switch 2626 config filter To remove a port orporttrunkfrom the list update the named source portfilter definition using the forward op...

Page 427: ...ts assigned IDX number for as long as the filter exists in the switch The switch assigns the lowestavailableIDXnumbertoanew filter This can result in a newer filter having a lower IDX number than an older filter if a previous source port or named source port filter deletion created a gap in the filter listing IDX Filter Type Value 1 Source Port 2 2 Source Port 3 3 Source Port 4 4 Source Port 5 5 S...

Page 428: ...100TX Forward 2 10 100TX Drop 2 10 100TX Drop 3 10 100TX Drop 3 10 100TX Drop 4 10 100TX Drop 4 10 100TX Drop 5 10 100TX Drop 5 10 100TX Drop 6 10 100TX Drop 6 10 100TX Drop 7 10 100TX Forward 7 10 100TX Drop 8 10 100TX Drop 8 10 100TX Drop 9 10 100TX Drop 9 10 100TX Drop 10 10 100TX Drop 10 10 100TX Drop 11 10 100TX Drop 11 10 100TX Drop 12 10 100TX Drop 12 10 100TX Drop Figure 11 8 Example Showi...

Page 429: ...mpany grows more resources are required in accounting Two additional accounting workstations are added and attached to ports 12 and 13 A second server is added attached to port8 Accounting Server 1 Port 7 Port 1 Router to the Internet Port 12 Accounting Workstation 3 Port 13 Accounting Workstation 4 Network Design 1 AccountingWorkstationsmayonlysendtraffictotheAccountingServer 2 NoInternettrafficm...

Page 430: ...ing 7 10 11 drop 1 6 9 14 26 no incoming web 1 drop 7 8 10 13 ProCurve config Figure 11 11 Example Showing Network Traffic Management with Source Port Filters We next apply the updated named source port filters to the appropriate switch ports As a port can only have one source port filter named or not named before applying the new named source port filters we first remove the existing source port ...

Page 431: ...st filters defined by the filter command page 11 21 However if an IGMP controlled filter for a joined multicast group has the same multicast address as a static multicast filter configured on a given port the IGMP controlled filter overrides the static multicast filter configured on that port Note that in the default configuration IGMP is disabled on VLANs configured in the switch To enable IGMP o...

Page 432: ...255 255 which corresponds to the Ethernet multi cast address range of 01005e 000000 through 01005e 7fffff Any static Traffic Security filters configured with a multicast filter type and a multicast address in this range will continue to be in effect unless IGMP learns of a multicast group destination in this range In this case IGMP takes over the filtering function for the multicast destination ad...

Page 433: ...uring Traffic Security Filters Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify 1 Select the static filter type s 2 For inbound traffic matching the filter type determine the filter action you want for each outbound destination port on the switch forward or drop The default action for a new filter is ...

Page 434: ...fic for the ports and or trunks in the designated destination port list Can be followed by forward destination port list if you have other destination ports set to drop that you want to change to forward If no drop or forward action is specified the switch automatically creates a filter with a forward action from the designated source port or trunk to all destination ports or trunks on the switch ...

Page 435: ... Configuring a Filter on a Port Trunk This operation uses the same command as is used for configuring a filter on an individual port However the configuration process requires two steps 1 Configure the port trunk 2 Configure a filter on the port trunk by using the trunk name trk1 trk2 trk6 instead of a port name For example to create a filter on port trunk 1 to drop traffic received inbound for tr...

Page 436: ...before it was added to the trunk Figure 11 14 Example of Switch Response to Adding a Filtered Source Port to a Trunk Editing a Source Port Filter The switch includes in one filter the action s for all destination ports and or trunks configured for a given source port or trunk Thus if a source port filter already exists and you want to change the currently configured action for some destination por...

Page 437: ...s multicast address and returns the destination ports for that filter to the Forward action forward drop port list Specifies whether the designated destination port s should forward or drop the filtered traffic protocol ip ipx arp appletalk sna netbeui Specifies a protocol type Traffic received on any port with this protocol type will be filtered Default Forward on all ports The no form of the com...

Page 438: ...llowing commands configure the filters listed above Figure 11 16 Configuring Various Traffic Security Filters Filter Indexing The switch automatically assigns each new filter to the lowest available index IDX number The index numbers are included in the show filter command described in the next section and are used with the show filter index command to display detailed information about a specific...

Page 439: ...lower IDX number than an older filter if a previous filter deletion created a gap in the filter listing Filter Type Indicates the type of filter assigned to the IDX number source port multicast or protocol Value Indicates the port number or port trunk name of the source port or trunk assigned to the filter index Lists the filter type and other data for the filter corre spondingtotheindexnumberinth...

Page 440: ...y Filters Filter Index Numbers AutomaticallyAssigned Listsallfiltersconfigured in the switch Uses the index number IDX for a specific filter to list the details for that filter only Criteria for Individual Filters Figure 11 17 Example of Displaying Filter Data 11 24 ...

Page 441: ... Operating Rules and Notes 12 12 General Setup Procedure for 802 1X Access Control 12 15 Do These Steps Before You Configure 802 1X Operation 12 15 Overview Configuring 802 1X Authentication on the Switch 12 18 Configuring Switch Ports as 802 1X Authenticators 12 19 1 Enable 802 1X Authentication on Selected Ports 12 20 A Enable the Selected Ports as Authenticators and Enable the Default Port Base...

Page 442: ...n VLAN Mode 12 42 802 1X Open VLAN Operating Notes 12 46 Option For Authenticator Ports Configure Port Security To Allow Only 802 1X Authenticated Devices 12 47 Port Security 12 48 Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches 12 49 Example 12 49 Supplicant Port Configuration 12 51 Displaying 802 1X Configuration Statistics and Counters 12 53 Show Comm...

Page 443: ...is exposes the network to unauthorized use and malicious attacks While access to the network should be made easy uncontrolled and unauthorized access is usually not desirable 802 1X simplifies security management by providing access control along with the ability to control user profiles from up to three RADIUS servers while allowing a given user to use the same entering valid user credentials for...

Page 444: ... a RADIUS server including the accounting update interval Use of Show commands to display session counters Support for concurrent use of 802 1X and either Web authentication or MAC authentication on the same port For unauthenticated clients that do not have the necessary 802 1X suppli cant software or for other reasons related to unauthenticated clients there is the option to configure an Unauthor...

Page 445: ...t the same time If the first client authenticates and opens the port and then another client authenticates the port responds as if the original client has initiated a reauthentication With multiple clients authenticating on the port the RADIUS configuration response to the latest client authentication replaces any other configuration from an earlier client authentication If all clients use the sam...

Page 446: ...ion through the switch s local username and password instead of a RADIUS server but doing so increases the administrative burden decentralizes user credential admin istration and reduces security by limiting authentication to one Operator password set for all users Accounting The switches covered in this guide also provide RADIUS Network accounting for 802 1X access Refer to chapter 5 RADIUS Admin...

Page 447: ...workstation or mobile PC linked to the switch through a point to point LAN link User Based Authentication The 802 1X extension in the switches covered in this guide In this operation multiple clients on the same port must individually authenticate themselves Guest VLAN See Unauthorized Client VLAN EAP Extensible Authentication Protocol EAP enables network access that supports multiple authenticati...

Page 448: ...ed to provide access to a client prior to authentication and is sometimes termed a guest VLAN It should be set up to allow an unauthenticated client to access only the initialization services necessary to establish an authenticated connection plus any other desirable services whose use by an unauthenticated client poses no security threat to your network Note that an unauthenticated client has acc...

Page 449: ...for the client 3 The switch responds in one of the following ways If 802 1X on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the client ii The client then provides identifying credentials such as a user certificate which the switch forwards to the RADIUS server i...

Page 450: ... switch assigns the port to the VLAN entered in the port s 802 1X configuration as an Authorized Client VLAN if configured c 3rd Priority If the port does not have an Authorized Client VLAN configured but does have a static untagged VLAN membership in its configuration then the switch assigns the port to this VLAN A port assigned to a VLAN by an Authorized Client VLAN configuration or a RADIUS ser...

Page 451: ...sing Port Are All Old Clients On Unauthorized VLAN No No Yes Yes Assign New Client to RADIUS Specified VLAN Assign New Client toAuthorizedVLAN Configured on Port Assign New Client to Untagged VLAN Configured On Port Yes New Client VLAN Same As Old Client VLAN No Drop All Clients UsingUnauthorized VLAN No Reject New Client On Port Yes Accept New Client On Port Yes No Figure 12 1 Priority of VLAN As...

Page 452: ...s an authenticator one authenticated client opens the port Other clients that are not running an 802 1X supplicant application can have access to the switch and network through the opened port If another client uses an 802 1X supplicant application to access the opened port then a re authentication occurs using the RADIUS configuration response for the latest client to authenticate To control acce...

Page 453: ...you try to configure 802 1X on a port already configured for LACP or the reverse you will see a message similar to the following Error configuring port X LACP and 802 1X cannot be run together When spanning tree is enabled on a switch that uses 802 1X Web authen tication or MAC authentication loops may go undetected For example spanning tree packets that are looped back to an edge port will not be...

Page 454: ...rol 802 1X General Operating Rules and Notes not enabled That is any non authenticating client attempting to access the port after another client authenticates with port based 802 1X would still have to authenticate through Web Auth or MAC Auth 12 14 ...

Page 455: ...nd is used to configure the operator username and password that are used as 802 1X credentials for networkaccesstotheswitch 802 1Xnetworkaccessisnotallowedunless a password has been configured using thepasswordport access command Syntax password port access user name name password Configures the operator username and password used to access the network through 802 1X authentication user name name ...

Page 456: ...upplicants and disable LACP on these ports For more informa tion on disabling LACP refer to the Note on page 12 20 To display the current configuration of 802 1X Web based and MAC authentication on all switch ports enter the show port access config command ProCurve config show port access config Port Access Status Summary Port access authenticator activated No Yes Allow RADIUS assigned dynamic GVR...

Page 457: ...AN Mode on page 12 31 5 For any port you want to operate as a supplicant determine the user credentials You can either use the same credentials for each port or use unique credentials for individual ports or subgroups of ports This can also be the same local username password pair that you assign to the switch 6 Unless you are using only the switch s local username and password for 802 1X authenti...

Page 458: ...etwork access Refer to page 12 20 2 If you want to provide a path for clients without 802 1X supplicant software to download the software so that they can initiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 12 31 3 Configure the 802 1X authentication type Options include Local Operator username and password using the pass...

Page 459: ...vice then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Other Switches on page 12 49 Configuring Switch Ports as 802 1X Authenticators 802 1X Authentication Commands Page no aaa port access authenticator port list 12 20 auth vid clear statistics client limit control max requests 12 20 initialize logoff period quiet period s...

Page 460: ... switch automatically dis ables LACP on that port However if the port is already operating in an LACP trunk you must remove the port from the trunk before you can configure it for 802 1X authentication A Enable the Selected Ports as Authenticators and Enable the Default Port Based Authentication Syntax no aaa port access authenticator port list Enables specified ports to operate as 802 1X authenti...

Page 461: ...s the earlier session Note Because a switch allows 802 1X authentication and Web or MAC authentication to co exist on the same port the sum of authenticated client sessions allowed on a given port for both 802 1X and either Web or MAC authentication cannot exceed 32 Port Based 802 1X Authentication no aaa port access authenticator client limit Used to convert a port from user based authentication ...

Page 462: ...rt Access The commands in this section are initially set by default and can be reconfig ured as needed Syntax aaa port access authenticator port list control authorized auto unauthorized Controls authentication mode on the specified port authorized Also termed Force Authorized Gives access to a device connected to the port In this case the device does not have to provide 802 1X credentials or supp...

Page 463: ... waits for a server response to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication attempts that...

Page 464: ... waits for a server response to an authentication request If there is no response within the configured time frame the switch assumes that the authentication attempt has timed out Depending on the current max requests setting the switch will either send a new request to the server or end the authentication session Default 30 seconds max requests 1 10 Sets the number of authentication attempts that...

Page 465: ...2 1X Open VLAN Mode on page 12 31 aaa port access authenticator port list logoff period 1 999999999 Configures the period of time the switch waits for client activity before removing an inactive client from the port Default 300 seconds unauth period 0 255 Specifies a delay in seconds for placing a port on the Unauthorized Client VLAN This delay allows more time for a client with 802 1X supplicant ...

Page 466: ... method for port access The default pri mary authentication is local Refer to the documentation for your RADIUS server application For switches covered in this guide you must use the password port access command to configure the operator user name and password for 802 1X access See General Setup Proce dure for 802 1X Access Control on page 12 15 for more information none authorized Provides option...

Page 467: ...ing authentication or accounting sessions with the spec ified server This key must match the key used on the RADIUS server Use this option only if the specified server requires a different key than configured for the global encryption key Syntax radius server key global key string Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a ser...

Page 468: ...igure 802 1X Controlled Directions After you enable 802 1X authentication on specified ports you can use the aaa port access controlled directions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenti cated state As documented in the IEEE 802 1X standard an 802 1X aware port that is unauthenticated can control traffic in either of t...

Page 469: ...to remotely power on a sleeping workstation for example during early morning hours to perform routine maintenance operations such as patch management and software updates The aaa port access controlled direction in command allows Wake on LAN traffic to be transmitted on an 802 1X aware egress port that has not yet transitioned to the 802 1X authenticated state the controlled direction both setting...

Page 470: ...er the show port access authenticator config command as shown in Figure 12 11 When an 802 1X authenticated port is configured with the controlled directions in setting eavesdrop prevention is not supported on the port Example Configuring 802 1X Controlled Directions The following example shows how to enable the transmission of Wake on LANtrafficintheegressdirectiononan802 1X awareportbeforeittrans...

Page 471: ...d as 802 1X authenticators Configuring the 802 1X Open VLAN mode on a port changes how the port responds when it detects a new client In earlier releases a friendly client computer not running 802 1X supplicant software could not be authenticated on a port protected by 802 1X access security As a result the port would become blocked and the client could not access the network This prevented the cl...

Page 472: ...VLAN membership for that port Clients that connect without trying to authenticate will have access to the untagged VLAN mem bership that is currently assigned to the port VLAN Membership Priorities Following client authentication an 802 1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration The port also becomes an untagged member of one VLAN ac...

Page 473: ...pen VLAN mode authentication Unauthorized Client VLAN Configure this VLAN when unauthenti cated friendly clients will need access to some services before being authenticated or instead of being authenticated Authorized Client VLAN ConfigurethisVLANforauthenticatedclients when the port is not statically configured as an untagged member of a VLAN you want clients to use or when the port is staticall...

Page 474: ...rt already has a statically configured untagged membership in another VLAN then the port temporarily closes access to this other VLAN while in the Unauthorized Client VLAN To limit security risks the network services and access available ontheUnauthorized ClientVLANshouldincludeonlywhataclient needs to enable an authentication session If the port is statically configured as a tagged member of any ...

Page 475: ...zed Client VLAN If RADIUS authentication assigns a VLAN and there are no other authenticatedclientsontheport thentheportbecomesamember of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is connected If the port is statically configured as a tagged member of a VLAN andthisVLANisusedastheAuthorized ClientVLAN thentheport temporarily becomes an untagged member of this ...

Page 476: ...hentication assigns the port to a VLAN this assignment overrides any statically configured untagged VLAN membership on the port while the client is connected If the port is statically configured as a tagged member of a VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN Note that i...

Page 477: ... port is statically configured asa tagged member ofany other VLAN the port returns to tagged membership in this VLAN upon successfulclientauthentication ThishappenseveniftheRADIUS server assigns the port to another authorized VLAN If the port is already configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN then the port becomes an untagged member of that VLAN for the du...

Page 478: ...hen the client disconnects from the port then the port drops these assignments and uses the untagged VLAN memberships for which it is statically configured After client authen tication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 12 33 TemporaryVLANMembershipDuring a Client Session Port membership in a VLAN assigned to operat...

Page 479: ...ntheauthenticatedclientdisconnects theswitchremovesthe port from the Authorized Client VLAN and moves it back to the untagged membership in the statically configured VLAN After client authentication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 12 33 Note This rule assumes No alternate VLAN has been assigned by a RADIUS server...

Page 480: ...N before authentication can begin Switch with a Port Configured To Allow Multiple Authorized Client Sessions When a new client is authenticated on a given port If no other clients are authenticated on that port then the port joins one VLAN in the following order of precedence a A RADIUS assigned VLAN if configured b An Authenticated Client VLAN if configured c A static port based VLAN to which the...

Page 481: ...re currently using the port Thus an Unauthorized Client VLAN configured on a switch port that allows multiple 802 1X clients cannot be used if there is already an authenticated client using the port on another VLAN Also a client using the Unauthenticated Client VLAN will be blocked when another client becomes authenticated on the port For this reason the best utilization of the Unauthorized Client...

Page 482: ...d member of another VLAN the port s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port For example if i Port A5 is an untagged member of VLAN 1 the default VLAN ii You configure port A5 as an 802 1X authenticator port iii You configure port A5 to use an Authorized Client VLAN Then if a client connects to port A5 and is authenticated port A5...

Page 483: ...rs The switch automatically disables LACP on the ports on which you enable 802 1X On the ports you will use as authenticators with VLAN operation ensure that the port control parameter is set to auto the default Refer to 1 Enable 802 1X Authentication on Selected Ports on page 12 20 This setting requires a client to support 802 1X authentication with 802 1X supplicant operation and to provide vali...

Page 484: ... a server specific key This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key 4 Activate authentication on the switch Syntax aaa port access authenticator active Activates 802 1X port access on ports you have config ured as authenticators 5 Test both the authorized and unauthorized access to your system to ensure that the 802 1X authen...

Page 485: ...ring The server is connected to a port on the Default VLAN The switch s default VLAN is already configured with an IP address of 10 28 127 100 and a network mask of 255 255 255 0 ProCurve config aaa authentication port access eap radius Configures the switch for 802 1X authentication using an EAP RADIUS server ProCurve config aaa port access authenticator a10 a20 Configures ports A10 A20 as 802 1 ...

Page 486: ... to tagged membership in VLAN X upon successful client authen tication This happens even if the RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VLAN X as anauthorizedVLAN then theportbecomesanuntaggedmemberofVLAN X for the duration of the client connection If there is no Authorized Client or RADIUS assigned VLAN then an authenticated client without tagged VL...

Page 487: ...s already in effect Option For Authenticator Ports Configure Port Security To Allow Only 802 1X Authenticated Devices If 802 1X authentication is disabled on a port or set to authorized Force Authorize the port can allow access to a non authenticated client Port Security operates with 802 1X authentication only if the selected ports are configured as 802 1X with the control mode in the port access...

Page 488: ... limit sets 802 1X to user based operation on the specified ports When this limit is reached no further devices can be authenticated until a currently authenti cated device disconnects and the current delay period or logoff period has expired Configure the port access type Syntax aaa port access auth port list client limit 1 8 Configures user based 802 1X authentication on the specified ports and ...

Page 489: ...2 27 A switch port can operate as a supplicant in a connection to a port on another 802 1X aware switch to provide security on links between 802 1X aware switches A port can operate as both an authenticator and a supplicant Example Suppose that you want to connect two switches where Switch A has port A1 configured for 802 1X supplicant operation You want to connect port A1 on switch A to port B5 o...

Page 490: ... packet If switch B is configured for RADIUS authentication it forwards this request to a RADIUS server If switch B is configured for Local 802 1X authentication the authenticator compares the switch A response to its local username and password 2 The RADIUS server then responds with an MD5 access challenge that switch B forwards to port A1 on switch A 3 Port A1 replies with an MD5 hash response b...

Page 491: ... then use the identity and secret options to configure the RADIUS expected credentials on the supplicant port If the intended authenticator port uses Local 802 1X authentication then use the identity and secret options to configure the authenticator switch s local username and password on the supplicant port Syntax aaa port access supplicant ethernet port list To enable supplicant operation on the...

Page 492: ...pplicant port requests authentication See step 1 on page 12 49 for a description of how the port reacts to the authenticator response Default 3 held period 0 65535 Sets the time period the supplicant port waits after an active 802 1X session fails before trying to re acquire the authenticator port Default 60 seconds start period 1 300 Sets the delay between Start packet retransmissions That is aft...

Page 493: ...upplicant page 12 66 Details of 802 1X Mode Status Listings page 12 62 RADIUS server configuration pages 12 27 Show Commands for Port Access Authenticator Syntax show port access authenticator port list config statistics session counters vlan clients If you enter the showport accessauthenticatorcommand with out an optional value the following configuration informa tion is displayed for all switch ...

Page 494: ...ical value of the CoS 802 1p priority applied to inbound traffic from one authenticated client For client specific per port CoS values enter the showport accessweb basedclientsdetailed command Kbps In Limit Indicates the ingress rate limit assigned by the RADIUS server to the port for traffic inbound from the authenticated client If there is no ingress rate limit assigned then Not Set appears in t...

Page 495: ...ated No No Allow RADIUS assigned dynamic GVRP VLANs No No Auth Unauth Untagged Tagged Kbps In RADIUS Cntrl Port Clients Clients VLAN VLANs Port COS Limit ACL Dir 2 1 0 1 7 90 No In 3 1 0 1 5 50 Yes In Figure 12 10 Example of show port access authenticator Command The information displayed with the show port access authenticator command for individual config statistics session counters vlan clients...

Page 496: ...rts or specified ports 802 1X configuration information for ports that are not enabled as 802 1X authenticators is not displayed ProCurve config show port access authenticator config Port Access Authenticator Configuration Port access authenticator activated No Yes Allow RADIUS assigned dynamic GVRP VLANs No No Re auth Access Max Quiet TX Supplicant Server Cntrl Port Period Control Reqs Period Tim...

Page 497: ...its for a supplicant response to an EAP request Server Timeout Period of time in seconds that the switch waits for a server response to an authentication request Cntrl Dir Directions in which flow of incoming and outgoing traffic is blocked on 802 1X aware port that has not yet entered the authenticated state Both Incoming and outgoing traffic is blocked on port until authentication occurs In Only...

Page 498: ...ecified ports that are enabled as 802 1X authenticators including 802 1X frames received and transmitted on each port Duration and status of active 802 1X authentication sessions in progress or terminated User name of 802 1X supplicant included in 802 1X response packets configured with the aaa port access supplicantidentity username command see page 13 49 802 1X configuration information for port...

Page 499: ...t accessauthenticatorcontrol command see page 12 22 VLAN ID if any to be used for traffic from 802 1X authenticated clients VLAN ID if any to be used for traffic from unauthenticated clients 802 1X configuration information for ports that are not enabled as an 802 1X authenticators is not displayed ProCurve config show port access authenticator vlan Port Access Authenticator VLAN Configuration Por...

Page 500: ... a not available is displayed for a client s IP address If an 802 1X authenticated client uses an IPv6 address n a IPv6 is displayed If DHCP snooping is enabled but no MAC to IP address binding for a client is found in the DHCP binding table n a no info is displayed ProCurve config show port access authenticator clients Port Access Authenticator Client Status Port Client Name MAC Address IP Addres...

Page 501: ... Open Session Time sec 999999999 Frames In 999999999 Frames Out 99999999 Username webuser1 MAC Address 001321 eb8063 IP 2001 fecd ba23 cd1f dcb1 1010 9234 4088 Access Policy Details COS Map 70000000 In Limit 87 Untagged VLAN 3096 Out Limit 100 Tagged VLANs 1 3 5 6 334 2066 RADIUS ACL List deny in udp from any to 10 2 8 233 CNT Hit Count 0 permit in udp from any to 10 2 8 233 CNT Hit Count 0 deny i...

Page 502: ... VLAN ID column for the same port indicates an unauthenticated client is connected to this port Assumes that the port is not a statically configured member of VLAN 100 Items 1 through 3 indicate that an authenticated client is connected to port 2 1 Open in the Status column 2 Authorized in the Authenticator State column 3 TheAuthVLANID 101 isalsointheCurrentVLANIDcolumn Thisassumesthattheportisnot...

Page 503: ...nded whenever an authenticated 802 1X client is attached to the port Table 12 4 Rules of Access Control Status Indicator Meaning Access Control This state is controlled by the following port access command syntax ProCurve config aaa port access authenticator port list control authorized auto unauthorized Auto Configures the port to allow network access to any connected device that supports 802 1X ...

Page 504: ... supplicant is connected to the port Current VLAN ID vlan id Lists the VID of the static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Current Port CoS Refer to the section describing RADIUS support for Identity Driven Curr Rate Limit Inbound Management IDM in chapter 5 RADIUS Authentication and Accounting in this guide Syntax show vlan vl...

Page 505: ...e included under Overridden Port VLAN configuration This shows that static untagged VLANmembershipsonportsB1 and B3 have been overridden bytemporaryassignmenttothe authorized or unauthorized VLAN Using the show port access authenticator port list command shown in figure 12 17 provides details Figure 12 18 Example of Showing a VLAN with Ports Configured for Open VLAN Mode 12 65 ...

Page 506: ...how port access supplicant port list statistics Shows the port access statistics and source MAC address es for all ports or port list ports configured on the switch as supplicants See the Note on Suppli cant Statistics below Note on Supplicant Statistics For each port configured as a supplicant show port access supplicant statistics port list displays the source MAC address and statistics for tran...

Page 507: ... the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not already configured as an untagged member of the static VLAN specified by the RADIUS server then the switch temporarily assignsport N asanuntaggedmemberoftherequiredVLAN fortheduration of the 802 1X session At the same time if port N is already c...

Page 508: ... temporarily assigned as a member of an untagged static or dynamic VLAN for use during the client session according to the follow ing order of options a The port joins the VLAN to which it has been assigned by a RADIUS server during client authentication b If RADIUS authentication does not include assigning the port to a VLAN then the switch assigns the port to the authorized client VLAN configure...

Page 509: ...r For information on how to enable the switch to dynamically create 802 1Q compliant VLANs on links to other devices using the GARP VLAN RegistrationProtocol GVRP seethechapteron GVRP intheAdvanced Traffic Management Guide For an authentication session to proceed a port must be an untagged member of the static or dynamic VLAN assigned by the RADIUS server or an authorized client VLAN configuration...

Page 510: ...ccept multiple 802 1X and or MAC or Web authentication client sessions all authenticated clients must use the same port based untagged VLAN membership assigned for the earliest currently active client session Therefore on a port where one or more authenticated client sessions are already running all such clients are on the same untagged VLAN If a RADIUS server subsequently authenticates a new clie...

Page 511: ...untagged or tagged on port A2 and Figure 12 19 Example of an Active VLAN Configuration In Figure 12 19 if RADIUS authorizes an 802 1X client on port A2 with the requirement that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLA...

Page 512: ...ion for VLAN 22 Temporarily Changes for the 802 1X Session However as shown in Figure 12 19 because VLAN 33 is configured as untagged on port A2 and because a port can be untagged on only one VLAN port A2 loses access to VLAN 33 for the duration of the 802 1X session on VLAN 22 You can verify the temporary loss of access to VLAN 33 by entering the show vlan 33 command as shown in Figure 12 21 Even...

Page 513: ...ng the Use of GVRP Learned Dynamic VLANs in Authentication Sessions Syntax aaa port access gvrp vlans Enables the use of dynamic VLANs learned through GVRP in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802 1X MAC or Web authentication session Enter the no form of this command to disable the use of GVRP learned VLANs in an authentication session For infor...

Page 514: ...handled in an authentication session If you remove the configuration of the static VLAN used to create a temporary client session the 802 1X MAC or Web authenticated client is deauthenticated However if a RADIUS configured dynamic VLAN used for an authentication session is deleted from the switch through normal GVRP operation for example if no GVRP advertisements for the VLAN are received on any s...

Page 515: ... 51 No server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page 5 50 LACP ...

Page 516: ...Configuring Port Based and User Based Access Control 802 1X Messages Related to 802 1X Operation 12 76 ...

Page 517: ...wn and Port Security 13 24 MAC Lockdown Operating Notes 13 25 Deploying MAC Lockdown 13 26 MAC Lockout 13 30 Port Security and MAC Lockout 13 32 Web Displaying and Configuring Port Security Features 13 33 Reading Intrusion Alerts and Resetting Alert Flags 13 33 Notice of Security Violations 13 33 How the Intrusion Log Operates 13 34 Keeping the Intrusion Log Current by Resetting Alert Flags 13 35 ...

Page 518: ...Configuring and Monitoring Port Security Contents Web Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags 13 40 Operating Notes for Port Security 13 41 13 2 ...

Page 519: ... enables individual ports to detect prevent and log attempts by unauthorized devices to commu nicate through the switch Not e This feature does not prevent intruders from receiving broadcast and multi cast traffic Also Port Security and MAC Lockdown are mutually exclusive on a switch If one is enabled then the other cannot be used MAC Lockdown Page 13 22 This feature also known as Static Addressin...

Page 520: ...nce port security is configured you can then monitor the network for security violations through one or more of the following Alert flags that are captured by network management tools such as ProCurve Manager PCM and PCM Alert Log entries in the switch s web browser interface Event Log entries in the console interface Intrusion Log entries in the menu interface CLI or web browser interface For any...

Page 521: ...then tication Traps in the Management and Configuration Guide for your switch Port Access Allows only the MAC address of a device authenticated through the switch s 802 1X Port Based access control Refer to chapter 12 Configuring Port Based and User Based Access Control 802 1X For configuration details refer to Configuring Port Security on page 13 12 Eavesdrop Protection Configuring port security ...

Page 522: ...horized by Switch A Logical Topology for Access to Switch A Physical Topology PC1 can access Switch A PCs 2 and 3 can access Switch B and Switch C but are blocked from accessing switch A by the port security settings in switch A Switch C is not authorized to access Switch A Not e Broadcast andMulticast traffic is always allowed and can be readby intruders connected to a port on which you have conf...

Page 523: ... management station and to 2 option ally disable the port on which the intrusion was detected d How do you want to learn of the security violation attempts the switch detects You can use one or more of these methods Through network management That is do you want an SNMP trap sent to a net management station when a port detects a security violation attempt Through the switch s Intrusion Log availab...

Page 524: ...ss 13 16 action 13 16 clear intrusion flag 13 17 no port security 13 17 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses Not e Use the global configuration level to execute port security configuration commands Port Security Display Options You can use the CLI to display the current port security settings and to list the currently a...

Page 525: ...on Only the specified ports with their Learn Mode Address Limit alarm Action and Authorized Addresses Without port parameters show port security displays Operating Control settings for all ports on a switch Figure 13 2 Example Port Security Listing Ports A7 and A8 Show the Default Setting Withportnumbers includedinthecommand showport securitydisplaysLearn Mode Address Limit alarm Action and Author...

Page 526: ...ig show port security A1 A3 A6 A8 Listing Authorized and Detected MAC Addresses Syntax show mac address port list mac address vlan vid Without an optional parameter show mac address lists the authorized MAC addresses that the switch detects on all ports mac address Lists the specified MAC address with the port on which it is detected as an authorized address port list Lists the authorized MAC addr...

Page 527: ...Configuring and Monitoring Port Security Port Security Figure 13 4 Examples of Show Mac Address Outputs 13 11 ...

Page 528: ...ion on page 13 5 continuous Default Appears in the factory default setting or when you executenoport security Allows the port to learn addresses from the device s to which it is connected In this state the port accepts traffic from any device s to which it is connected Addresses learned in the learn continuous mode will age out and be automatically deleted if they are not used regularly The defaul...

Page 529: ...se mac addressto specify only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses it detects If for example You use mac address to authorize MAC address 0060b0 880a80 for port A4 You use address limit to allow three devices on port A4 and the port detects these MAC addresses 1 080090 1362f2 2...

Page 530: ...User Based Access Control 802 1X configured Must specify which MAC addresses are allowed for this port Range is 1 default to 8 and addresses are not ageable Addresses are saved across reboots limited continuous Also known as MAC Secure or limited mode The limited parameter sets a finite limit to the number of learned addresses allowed per port You can set the range from 1 the default to a maximum ...

Page 531: ... Configuration Guide for your switch To set the learn mode to limited use this command syntax port security port list learn mode limited address limit 1 32 action none send alarm send disable The default address limit is 1 but may be set for each port to learn up to 32 addresses The default action is none To see the list of learned addresses for a port use the command show mac port list address li...

Page 532: ...not age out See also Retention of Static Addresses on page 13 17 action none send alarm send disable Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device or when Learn Mode is set to continuous and there is an address change on a port none Prevents an SNMP trap from being sent none is the default value s...

Page 533: ...s even if you later reboot the switch or disable port security for that port The port learns a MAC address after you configure the port for Static learn mode in both the startup config file and the running config file by exe cuting the write memory command The port learns a MAC address after you configure the port for Static learn mode in only the running config file and after the address is learn...

Page 534: ...3456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device ProCurve config port security a1 learn mode static mac address 0c0090 123456 action send disable This example configures port A5 to Allow two MAC addresses 00c100 7fec00 and 0060b0 889e00 as the authorized devices Send an alarm to a management station if an intrude...

Page 535: ... in its Autho rized Address list The Address Limit has not been reached Although the Address Limit is set to 2 only one device has been authorized for this port In this case you can add another without having to also increase the Address Limit Figure 13 5 Example of Adding an Authorized Device to a Port With the above configuration for port A1 the following command adds the 0c0090 456456 MAC addre...

Page 536: ... MAC address to a port on which the Authorized Addresses list is already full as controlled by the port s current Address Limit setting then you must increase the Address Limit in order to add the device even if you want to replace one device with another Using the CLI you can simultaneously increase the limit and add the MAC address with a single command For example suppose port A1 allows one aut...

Page 537: ...thorized it is recommended that you first reduce the Address Limit address limit integer by 1 as shown below This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as authorized for that port To remove a device MAC address from the Authorized list and when the current number of devices equals the Address Limit value you shou...

Page 538: ...wn as static addressing is the permanent assign ment of a given MAC address and VLAN or Virtual Local Area Network to a specific port on the switch MAC Lockdown is used to prevent station movement and MAC address hijacking It also controls address learning on the switch When configured the MAC Address can only be used on the assigned port and the client device will only be allowed on the assigned ...

Page 539: ...an the locked down port Thus TCP connections cannot be established Traffic sent to the locked address cannot be hijacked and directed out the port of the intruder If the device computer PDA wireless device is moved to a different port on the switch by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch t...

Page 540: ...with MAC addresses only while MAC Lockdown specifies both a MAC address and a VLAN for lockdown MAC Lockdown on the other hand is not a list It is a global parameter on the switch that takes precedence over any other security mechanism The MAC Address will only be allowed to communicate using one specific port on the switch MAC Lockdown is a good replacement for port security to create tighter con...

Page 541: ...in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a message to t...

Page 542: ...purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MAC addr...

Page 543: ...Security Basic MAC Lockdown Deployment In the Model Network Topology shown above the switches that are connected to the edge of the network each have one and only one connection to the core network This means each switch has only one path by which data can travel to Server A You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go through the one port on the...

Page 544: ... traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect against some...

Page 545: ... to Switch 1 And when you remove the MAC Lockdown from Switch 1 to prevent broadcast storms or other connectivity issues you then open the network to security problems The use of MAC Lockdown as shown in the above figure would defeat the purpose of using MSTP or having an alternate path Technologies such as MSTP or meshing are primarily intended for an inter nal campus network environment in which...

Page 546: ...and on all switches To use MAC Lockout you must first know the MAC Address you wish to block Syntax no lockout mac mac address Lockout the specified MAC address How It Works Let s say a customer knows there are unauthorized wireless clients whoshouldnothaveaccess to thenetwork The networkadministrator locks out the MAC addresses for the wireless clients by using the MAC Lockout command lockout mac...

Page 547: ...e 13 1 Limits on Lockout MACs VLANs Multicast Filters Lockout MACs 1024 16 16 1025 2048 8 8 If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file Lockout logging format W 10 30 03 21 35 15 maclock module A 0001e6 1f96c0 detected on port A15 W 10 30 03 21 35 18 maclock module A 0001e6 1f96c0 detected on port A15 W 10 30 03 21 35 18 ma...

Page 548: ...y in learning other MAC Addresses Be careful if you use both together however If a MAC Address is locked out and appears in a static learn table in port security the apparently authorized address will still be locked out anyway MACentryconfigurationssetbyportsecurity willbe keptevenifMAC Lockout is configured and the original port security settings will be honored once the Lockout is removed A por...

Page 549: ...e of Security Violations When the switch detects an intrusion on a port it sets an alert flag for that port and makes the intrusion information available as described below While the switch can detect additional intrusions for the same port it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset When a security violatio...

Page 550: ...ment applications such as ProCurve Manager via an SNMP trap sent to a network management station How the Intrusion Log Operates When the switch detects an intrusion attempt on a port it enters a record of this event in the Intrusion Log No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset ting the alert flag The Intrusion Log ...

Page 551: ...t will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port On a given port if the intrusion action is to send an SNMP trap and then disable the port send disable and an intruder is detected on the port then the switch sends an SNMP trap sets the port s alert flag and disables the port If you re enable the port without resetting the p...

Page 552: ...shows Yes for any port onwhichasecurity violation has been Figure 13 13 Example of Port Status Screen with Intrusion Alert on Port A3 2 Type I Intrusion log to display the Intrusion Log MAC Address of Intruding Device on Figure 13 14 Example of the Intrusion Log Display The example in Figure 7 11 shows two intrusions for port A3 and one intrusion for port A1 In this case only the most recent intru...

Page 553: ...alert flags for all such ports If you then re display the port status screen you will see that the Intrusion Alert entry for port A3 has changed to No That is your evidence that the Intrusion Alert flag has been acknowledged reset is that the Intrusion Alert column in the port status display no longer shows Yes for the port on which the intrusion occurred port A3 in this example Because the Intrus...

Page 554: ...latest Intruder on Port A1 Earlier intrusions on port A1 that have already been cleared that is the Alert Flag has been reset at least twice before the most recent intrusion Figure 13 16 Example of the Intrusion Log with Multiple Entries for the Same Port The above example shows three intrusions for port A1 Since the switch can show only one uncleared intrusion per port the older two intrusions in...

Page 555: ...port security a1 clear intrusion flag ProCurve config show interfaces brief Intrusion Alert on port A1 is now Figure 13 17 Example of Port Status Screen After Alert Flags Reset For more on clearing intrusions see Note on Send Disable Operation on page 13 35 Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as W MM DD YY HH MM SS FFI port A3 Security Violatio...

Page 556: ...ion See Using the Event Log To Identify Problem Sources in the Troubleshooting chapter of the Management and Configuration Guide for your switch Web Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags 1 Check the Alert Log by clicking on the Status tab and the Overview button If there is a Security Violation entry do the following a Click on the Security tab b Click on Intru...

Page 557: ...t your PC or workstation MAC address and interprets your connection as unauthorized Prior To Entries in the Intrusion Log If you reset the switch using the Reset button Device Reset or Reboot Switch the Intrusion Log will list the time of all currently logged intrusions as prior to the time of the reset Alert Flag Status for Entries Forced Off of the Intrusion Log If the Intrusion Log is full of e...

Page 558: ...d on secured port s ProCurve config The switch will not allow you to configure LACP on a port on which port security is enabled For example ProCurve config int e a17 lacp passive Error configuring port A17 LACP and port security cannot be run together ProCurve config To restore LACP to the port you must remove port security and re enable LACP active or passive 13 42 ...

Page 559: ...rized IP Manager s 14 6 Configuring IP Authorized Managers for the Switch 14 6 Web Configuring IP Authorized Managers 14 8 Web Proxy Servers 14 8 How to Eliminate the Web Proxy Server 14 9 Using a Web Proxy Server to Access the Web Browser Interface 14 9 Web Based Help 14 9 Building IP Masks 14 10 Configuring One Station Per Authorized Manager IP Entry 14 10 Configuring Multiple Stations Per Autho...

Page 560: ...he Authorized IP Managers feature takes precedence over local passwords TACACS RADIUS Port Based Access Control 802 1X and Port Security This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features If the Authorized IP Managers feature disallows access to the device then a...

Page 561: ...security by keepingphysicalaccesstotheswitchrestrictedtoauthorizedpersonnel using the username password and other security features available in the switch and preventing unauthorized access to data on your management stations Access Levels Foreachauthorizedmanageraddress youcanconfigureeitheroftheseaccess levels Manager Enables full access to all screens for viewing configuration and all other op...

Page 562: ... station Not e If the management VLAN is configured access can only be on that VLAN Overview of IP Mask Operation The default IP Mask is 255 255 255 255 and allows switch access only to a station having an IP address that is identical to the Authorized Manager IP parameter value 255 in an octet of the mask means that only the exact value in the corresponding octet of the Authorized Manager IP para...

Page 563: ...5 0 Operator ssh 1 Select Add to add an authorized manager to the list Actions Back Add Edit Delete Help Figure 14 1 Example of How to Add an Authorized Manager Entry ProCurve 22 Apr 2008 20 17 53 CONSOLE MANAGER MODE Switch Configuration IP Managers Authorized Manager IP 10 10 245 3 IP Mask 255 255 255 255 255 255 255 255 Access Level Operator Enter an Authorized Manager IP address here Help Use ...

Page 564: ... Switch s Current Authorized IP Manager s Use the show ip authorized managers command to list IP stations authorized to access the switch For example ProCurve config show ip authorized manager IPV4 Authorized Managers Address 10 10 10 10 Mask 255 255 255 255 Access Manager Figure 14 3 Example of show authorized managers Command Configuring IP Authorized Managers for the Switch See the IPv6 Configu...

Page 565: ...t specify either Manager or Operator access the switch assigns the Manager access To Edit an Existing Manager Access Entry To change the mask or access level for an existing entry use the entry s IP address and enter the new value s Notice that any parameters not included in the command will be set to their default ProCurve config ip authorized managers 10 28 227 101 255 255 255 0 access operator ...

Page 566: ...zed Addresses button 3 Enter the appropriate parameter settings for the operation you want 4 Click on Add Replace or Delete to implement the configuration change Figure 14 5 Example of Configuring Authorized Manager Access Method in the Web Interface Web Proxy Servers If you use the web browser interface to access the switch from an authorized IP manager station it is highly recommended that you a...

Page 567: ...a web proxy server Using a Web Proxy Server to Access the Web Browser Interface C a u t i o n This is NOT recommended Using a web proxy server between the stations and the switch poses a security risk If the station uses a web proxy server to connect to the switch any proxy user can access the switch If it is necessary to use the switch s web browser interface and your browser access is through a ...

Page 568: ... that octet of the corresponding IP address is allowed This mask allows Authorized 10 33 248 5 management access only to a station having an IP address of 10 33 248 5 Manager IP Configuring Multiple Stations Per Authorized Manager IP Entry ThemaskdetermineswhethertheIPaddressofastationonthenetworkmeets the criteria you specify That is for a given Authorized Manager entry the switch applies the IP ...

Page 569: ...the first three octets of the mask specify that only the exact 28 227 125 value in the octet of the corresponding IP address is allowed However the zero 0 in the 4th octet of the mask allows any value between 0 and 255inthatoctetofthecorrespondingIPaddress Thismaskallowsswitch access to any device having an IP address of 10 28 227 xxx where xxx is any value from 0 to 255 255 255 249 In this exampl...

Page 570: ...the switch The first three octets of the station s IP address must match the Authorized IP Address Bit 0 and Bits 3 through 6 of the 4th octet in the station s address must be on value 1 Bit 7 of the 4th octet in the station s address must be off value 0 Bits 1 and 2 can be either on or off This means that stations with the IP address 13 28 227 X where X is 121 123 125 or 127 are authorized Additi...

Page 571: ...roxy Servers If you use the web browser interface to access the switch from an authorized IP manager station it is recommended that you avoid the use of a web proxy server in the path between the station and the switch This is because switch access through a web proxy server requiresthatyoufirstaddthewebproxy serverto theAuthorizedManager IP list This reduces security by opening switch access to a...

Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...

Page 573: ...m Contents Overview 15 2 Terminology 15 2 Configuring Key Chain Management 15 3 Creating and Deleting Key Chain Entries 15 3 Assigning a Time Independent Key to a Chain 15 4 Assigning Time Dependent Keys to a Chain 15 5 15 1 ...

Page 574: ...ances of routing protocols with one or more Send or Accept keys that must be active at the time of a request A protocol instance is usually an interface on which the protocol is running Feature Default Menu CLI Web Generating a Key Chain n a n a page 15 3 n a Generating a Time Independent key n a n a page 15 4 n a Generating a Time Dependent key n a n a page 15 5 n a Terminology Key Chain A key or...

Page 575: ...hain to a KMS enabled protocol This procedure is protocol dependent For information on a specific protocol refer to the chapter covering that protocol in the Management and Configu ration Guide for your switch Creating and Deleting Key Chain Entries To use the Key Management System KMS you must create one or more key chain entries An entry can be the pointer to a single time independent key or a c...

Page 576: ... Time Independent Key to a Chain A time independent key has no Accept or Send time constraints It is valid from boot up until you change it If you use a time independent key then it is the only key needed for a key chain entry Syntax no key chain chain_name key key_id Generates or deletes a key in the key chain entry chain_name Using the optional no form of the command deletes the key The key_id i...

Page 577: ...independent key for the Procurve1 key chain entry Adds a new Time Independent key to the Procurve1 chain Displays keys in the key chain entry Figure 15 2 Example of Adding and Displaying a Time Independent Key to a Key Chain Entry Assigning Time Dependent Keys to a Chain A time dependent key has Accept or Send time constraints It is valid only during the times that are defined for the key If a tim...

Page 578: ...fies the start date and time of the valid period in which the switch can transmit this key as authentication for outbound packets duration mm dd yy yy hh mm ss seconds Specifies the time period during which the switch can use this key to authenticate outbound packets Duration is either an end date and time or the number of seconds to allow after the start date and time which is the accept lifetime...

Page 579: ... the variations in the time value from switch to switch it is advisable to include some flexibility in the Accept lifetime of the keys you configure Otherwise the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches To list the result of the commands in figure 15 3 Figure 15 4 Display of Time Dependent K...

Page 580: ...play would appear as follows Figure 15 5 Status of Keys in Key Chain Entry Procurve2 The Procurve1 key chain entry is a time independent key and will not expire Procurve2 uses time dependent keys which result in this data Expired 1 Key 1 has expired because its lifetime ended at 8 10 on 01 18 03 the previous day Active 2 Key 2 and 3 are both active for 10 minutes from 8 00 to 8 10 on 1 19 03 Keys ...

Page 581: ...2 75 12 39 12 5 open port 12 4 authorized client 12 33 configuration 12 43 12 45 general operation 12 31 mode 12 31 12 37 operating notes 12 46 12 38 PVID no 12 62 security breach 12 46 12 42 12 56 12 62 12 63 unauthorized client 12 33 VLAN after authentication 12 33 12 39 12 46 12 33 12 34 12 39 12 46 12 65 12 3 password for port access 2 12 2 21 12 17 access 12 4 client without authentication 12...

Page 582: ...ounting See RADIUS ACL 802 1X effect on 9 16 ACE after match not used 9 26 9 39 defined 9 10 general rules 9 42 insert in list 9 77 limit 9 27 minimum number 9 99 not used 9 22 See sequence ACEs 9 26 application point 9 18 9 24 9 6 9 14 9 16 9 18 9 20 9 41 9 34 9 73 9 74 basic structure 9 35 character limit 9 45 CIDR 9 11 mask 9 43 9 47 9 51 command summary extended 9 8 standard 9 6 9 46 9 50 9 18...

Page 583: ...equence number 9 7 9 44 9 36 use 9 14 9 45 9 9 9 13 9 15 9 28 9 6 9 30 9 40 See command syntax Syslog See ACL logging TCP or UDP port number IANA 9 62 9 61 9 62 terms 9 10 ToS setting 9 18 9 60 9 70 traffic not filtered 9 26 9 5 9 24 9 28 9 40 9 45 9 78 9 85 9 88 9 89 user based 802 1X 9 16 VACL operation defined 9 14 9 28 wildcard 9 11 9 31 9 13 ACL IPv4 monitoring 9 92 ACL IPv4 statistics counte...

Page 584: ...curity credentials in multiple files 2 20 SSH See SSH storage of security credentials console authorized IP managers configuring 14 5 CoS configuring using RADIUS server 6 4 non default priority 6 8 override 6 4 12 62 priority assignment 5 4 RADIUS override 6 7 viewing per port config 6 6 crypto babble 7 11 fingerprint 7 11 D DA defined 6 10 9 11 9 12 database snooping 10 4 debug logging DHCP snoo...

Page 585: ...odels 11 2 editing 11 20 filter indexing 11 22 11 9 idx 11 9 11 22 11 9 11 22 named 11 6 operating rules 11 4 11 6 port trunk operation 11 3 11 19 show 11 9 value 11 9 See also source port filters filters effect of IGMP 11 16 multicast 11 15 overview 11 2 protocol 11 16 source port 11 4 11 22 11 3 types 11 3 Framed IP Address 5 36 G guest VLAN 12 7 12 8 12 31 GVRP dynamic VLANs 12 73 effect on cli...

Page 586: ... MAC authentication authenticator operation 3 5 blocked traffic 3 2 CHAP defined 3 10 usage 3 2 client status 3 42 3 3 3 33 on the switch 3 32 switch for RADIUS access 3 16 the RADIUS server 3 15 general setup 3 13 hierarchy of precedence in authentication session 1 19 LACP not allowed 3 12 overview 1 6 port access 12 4 rules of operation 3 11 show status and configuration 3 36 terminology 3 10 MA...

Page 587: ... operation 13 4 caution device limit 13 14 13 7 13 33 13 40 event log 13 39 notice of security violations 13 33 operating notes 13 41 1 8 13 3 prior to 13 41 TCP UDP closed ports 10 23 port based access control password 2 12 2 21 13 14 VLAN tagged member 12 33 See also 802 1X access control ports trusted 10 5 prior to 13 37 13 38 13 41 Privacy Enhanced Mode PEM See SSH privilege mode 4 11 4 12 Pro...

Page 588: ...ort numbers 7 18 8 20 Reset on clear disabled when saving security credentials to configuration file 2 20 resource monitor See Management and Configuration Guide RFCs RFC 2548 5 34 routing source routing caution 6 14 9 19 9 34 RSA key cert 7 10 S SA 9 12 security authorized IP managers 14 1 per port 13 3 security credentials 802 1X credentials saved to configuration file 2 15 2 21 copying configur...

Page 589: ...rd security 7 19 7 20 7 8 PEM 7 3 prerequisites 7 4 2 21 7 4 7 13 7 14 2 12 2 16 reserved IP port numbers 7 18 security 7 19 SSHv2 7 2 steps for configuring 7 5 7 12 terminology 7 3 15 2 unauthorized access 7 28 version 7 2 zeroing a key 7 10 SSL CA signed 8 3 8 15 8 3 8 15 8 7 client behavior 8 17 8 18 8 10 disabling 8 9 8 17 enabling 8 17 8 9 generate CA signed 8 15 8 9 8 12 8 9 8 12 8 9 8 8 hos...

Page 590: ...ame cleared 2 7 SNMP configuration 2 3 V Vendor Specific Attribute 6 11 vendor specific attribute configured in RADIUS server 6 4 5 29 defining 5 30 virus detection monitoring ARP requests 10 23 VLAN 802 1X 12 67 12 70 12 74 12 63 not advertised for GVRP 12 70 12 74 VLANs GVRP created 12 74 12 73 See also VLAN VSA 6 11 See vendor specific attribute W Wake on LAN on 802 1X aware ports 12 29 3 21 wa...

Page 591: ...SSL 8 18 unsecured access SSL 8 18 web server proxy 13 41 wildcard See ACL wildcard See ACL wildcard ACL defined 6 11 Index 11 ...

Page 592: ...12 Index ...

Page 593: ......

Page 594: ... Copyright 2009 Hewlett Packard Development Company L P February 2009 Manual Part Number 5992 5439 ...

Reviews:

No comments