manualshive.com logo in svg

HP ProCurve 2800 Series, Руководство пользователя, Страница: 135 / 300

Поделиться
Скачать
HP ProCurve 2800 Series Скачать руководство пользователя страница 135

Configuring Secure Shell (SSH) 

Overview 

N o t e  

SSH in the HP Procurve is based on the OpenSSH software toolkit. For more 
information on OpenSSH, visit 

http://www.openssh.com

Switch SSH and User Password Authentication . 

This option is a subset 

of the client public-key authentication show in figure 6-1. It occurs if the switch 
has SSH enabled but does not have login access (

login public-key

) configured 

to authenticate the client’s key. As in figure 6-1, the switch authenticates itself 
to SSH clients. Users on SSH clients then authenticate themselves to the 
switch (login and/or enable levels) by providing passwords stored locally on 
the switch or on a  or RADIUS server. However, the client does not 
use a key to authenticate itself to the switch. 

HP 

Switch 

(SSH 

Server) 

SSH 

Client 

Work-

Station 

1. Switch-to-Client SSH 

2. User-to-Switch (login password and 

enable password authentication) 
options: 

–  Local 
–   

Figure 6-2. Switch/User Authentication 

SSH on the HP ProCurve switches covered in this guide supports these data 
encryption methods: 

■ 

3DES (168-bit) 

■ 

DES (56-bit) 

N o t e  

The HP ProCurve switches covered in this guide use the RSA algorithm for 
internally generated keys (v1/v2 shared host key & v1 server key). However, 
HP ProCurve switches support both RSA and DSA/DSS keys for client authen­
tication. All references to either a public or private key mean keys generated 
using these algorithms unless otherwise noted 

6-3 

Содержание ProCurve 2800 Series

Страница 1: ...Access Security Guide www hp com go hpprocurve Switch 2600 Series Switch 2600 PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 ...

Страница 2: ......

Страница 3: ...HP ProCurve Switch 2600 Series Switch 2600 PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 Access Security Guide October 2004 ...

Страница 4: ...ftware written by Tim Hudson tjh cryptsoft com Disclaimer HEWLETT PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performanc...

Страница 5: ...y Convention for Examples 1 7 Related Publications 1 7 Getting Documentation From the Web 1 9 Sources for More Information 1 10 Need Only a Quick Start 1 11 To Set Up and Install the Switch in Your Network 1 11 2 Configuring Username and Password Security Contents 2 1 Overview 2 2 Configuring Local Password Security 2 4 Menu Setting Passwords 2 4 CLI Setting Passwords and Usernames 2 5 Web Setting...

Страница 6: ...ore You Configure Web MAC Authentication 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication on the Switch 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22 Overview 3 22 Configure the Switch for ...

Страница 7: ...g a TACACS Server 4 20 Local Authentication Process 4 22 Using the Encryption Key 4 23 Controlling Web Browser Interface Access When Using TACACS Authentication 4 24 Messages Related to TACACS Operation 4 25 Operating Notes 4 25 5 RADIUS Authentication and Accounting Contents 5 1 Overview 5 2 Terminology 5 3 Switch Operating Rules for RADIUS 5 4 General RADIUS Setup Procedure 5 5 Configuring the S...

Страница 8: ...logy 6 4 Prerequisite for Using SSH 6 5 Public Key Formats 6 5 Steps for Configuring and Using SSH for Switch and Client Authentication 6 6 General Operating Rules and Notes 6 8 Configuring the Switch for SSH Operation 6 9 1 Assigning a Local Login Operator and Enable Manager Password 6 9 2 Generating the Switch s Public and Private Key Pair 6 10 3 Providing the Switch s Public Key to Clients 6 12...

Страница 9: ... in SSL setup 7 21 8 Configuring Port Based Access Control 802 1X Contents 8 1 Overview 8 3 Why Use Port Based Access Control 8 3 General Features 8 3 How 802 1X Operates 8 6 Authenticator Operation 8 6 Switch Port Supplicant Operation 8 7 Terminology 8 8 General Operating Rules and Notes 8 10 General Setup Procedure for Port Based Access Control 802 1X 8 12 Do These Steps Before You Configure 802...

Страница 10: ...on Statistics and Counters 8 38 Show Commands for Port Access Authenticator 8 38 Viewing 802 1X Open VLAN Mode Status 8 40 Show Commands for Port Access Supplicant 8 43 How RADIUS 802 1X Authentication Affects VLAN Operation 8 44 Messages Related to 802 1X Operation 8 48 9 Configuring and Monitoring Port Security Contents 9 1 Overview 9 2 Basic Operation 9 2 Blocking Unauthorized Traffic 9 3 Trunk...

Страница 11: ...ort Security 9 36 10 Traffic Security Filters HP ProCurve Series 2600 2600 PWR and 2800 Switches Contents 10 1 Overview 10 2 Using Source Port Filters 10 4 Operating Rules for Source Port Filters 10 4 Configuring a Source Port Filter 10 5 Viewing a Source Port Filter 10 7 Filter Indexing 10 8 Editing a Source Port Filter 10 9 11 Using Authorized IP Managers Contents 11 1 Overview 11 2 Options 11 3...

Страница 12: ... 9 Configuring One Station Per Authorized Manager IP Entry 11 9 Configuring Multiple Stations Per Authorized Manager IP Entry 11 11 Additional Examples for Authorizing Multiple Stations 11 13 Operating Notes 11 13 Index x ...

Страница 13: ...Traffic Security Guideline 1 5 Command Syntax Conventions 1 6 Simulating Display Output 1 6 Command Prompts 1 6 Screen Simulations 1 7 Port Identity Convention for Examples 1 7 Related Publications 1 7 Getting Documentation From the Web 1 9 Sources for More Information 1 10 Need Only a Quick Start 1 11 To Set Up and Install the Switch in Your Network 1 11 1 1 ...

Страница 14: ...oCurve Switch 2800 Series 2824 2848 HP ProCurve Switch 2600 Series 2626 2650 HP ProCurve Switch 6108 The Product Documentation CD ROM shipped with the switch includes this guide You can also download the latest version from the HP ProCurve website Refer to Getting Documentation From the Web on page 1 9 About the Feature Descriptions In cases where a software feature is not available in all of the ...

Страница 15: ...ntrol 802 1X page 8 1 On point to point connections enables the switch to allow or deny traffic between a port and an 802 1X aware device supplicant attempting to access the switch Also enables the switch to operate as a supplicant for connections to other 802 1X aware switches Port Security page 9 1 Enables a switch port to maintain a unique list of MAC addresses defining which specific devices a...

Страница 16: ...es No Remote Yes No No Yes No SSH Ptp Yes No No Yes No Remote Yes No No Yes No SSL Ptp No No Yes No No Remote No No Yes No No Port Based Access Control 802 1X PtP Yes Yes Yes Yes Yes Remote No No No No No Port Security MAC address PtP Yes Yes Yes Yes Yes Remote Yes Yes Yes Yes Yes Authorized IP Managers PtP Yes Yes Yes Yes No Remote Yes Yes Yes Yes No 1 The local Manager Operator TACACS and RADIUS...

Страница 17: ...from the lowest to the highest The following list shows the order in which the switch implements configured security features on traffic moving through a given port 1 Disabled Enabled physical port 2 MAC lockout Applies to all ports on the switch 3 MAC lockdown 4 Port security 5 Authorized IP Managers 6 Application features at higher levels in the OSI model such as SSH The above list does not addr...

Страница 18: ...e key from a TFTP server Italics indicate variables for which you must supply a value when executing the command For example in this command syntax you must provide one or more port numbers Syntax aaa port access authenticator port list Simulating Display Output Command Prompts In the default configuration your switch s CLI prompt includes the switch model number and appears similar to the followi...

Страница 19: ...d port identity system such as A1 B3 B5 C7 etc However unless otherwise noted such examples apply equally to the stackable switches which typically use only numbers such as 1 3 5 15 etc for port identities Related Publications Product Notes and General Software Update Information The printed Read Me First shipped with your switch provides software update information productnotes andotherinformatio...

Страница 20: ... the access security features included in this guide Troubleshooting software operation HP provides a PDF version of this guide on the Product Documentation CD ROM shipped with the switch You can also download the latest copy from the HP ProCurve website See Getting Documentation From the Web on page 1 9 Release Notes Release notes are posted on the HP ProCurve website and provide information on n...

Страница 21: ...rom the Web Getting Documentation From the Web 1 Go to the HP ProCurve website at http www hp com go hpprocurve 2 Click on technical support 3 Click on manuals 4 Click on the product for which you want to view or download a manual 2 3 4 1 9 ...

Страница 22: ...terface If you need information on a specific command in the CLI type the command name followed by help For example Figure 1 3 How To Find Help in the CLI If you need information on specific features in the HP Web Browser Interface hereafter referred to as the web browser interface use the online help available for the web browser interface For more information on web browser Help options refer to...

Страница 23: ...l prompt HPswitch setup In the Main Menu of the Menu interface select 8 Run Setup For more on using the Switch Setup screen refer to the Installation and Getting Started Guide you received with the switch To Set Up and Install the Switch in Your Network Use the Installation and Getting Started Guide for your switch model shipped with the switch for the following Notes cautions and warnings related...

Страница 24: ...Getting Started To Set Up and Install the Switch in Your Network This page is intentionally unused 1 12 ...

Страница 25: ...rity 2 4 Menu Setting Passwords 2 4 CLI Setting Passwords and Usernames 2 5 Web Setting Passwords and Usernames 2 6 Front Panel Security 2 7 When Security Is Important 2 7 Front Panel Button Functions 2 9 Configuring Front Panel Security 2 12 Password Recovery 2 17 Password Recovery Process 2 19 2 1 ...

Страница 26: ...ssword pair username and password on each of these levels Note Usernames are optional Also in the menu interface you can configure passwords but not usernames To configure usernames use the CLI or the web browser interface Level Actions Permitted Manager Access to all console interface areas This is the default level That is if a Manager password has not been set prior to starting the current cons...

Страница 27: ... you added security against unautho rized console access Note The manager and operator passwords and optional usernames control access to the menu interface CLI and web browser interface If you configure only a Manager password with no Operator password and in a later session the Manager password is not entered correctly in response to a prompt from the switch then the switch does not allow manage...

Страница 28: ...To set a new password a Select Set Manager Password or Set Operator Password You will then be prompted with Enter new password b Type a password of up to 16 ASCII characters with no spaces and press Enter Remember that passwords are case sensitive c When prompted with Enter new password again retype the new pass word and press Enter After you configure a password if you subsequently start a new co...

Страница 29: ...above 3 Select Delete Password Protection You will then see the following prompt Continue Deletion of password protection No 4 Press the Space bar to select Yes then press Enter 5 Press Enter to clear the Password Protection message To Recover from a Lost Manager Password If you cannot start a con sole session at the Manager level because of a lost Manager password you can clear the password by ge...

Страница 30: ...f assigned from the switch you would do the following Press Y for yes and press Enter Figure 2 3 Removing a Password and Associated Username from the Switch The effect of executing the command in figure 2 3 is to remove password protection from the Operator level This means that anyone who can access the switch console can gain Operator access without having to enter a user name or password Web Se...

Страница 31: ... default configuration by using the Reset Clear button combination Gaining management access to the switch by having physical access to the switch itself When Security Is Important Some customers require a high level of security for information Also the Health Insurance Portability and Accountability Act HIPAA of 1996 requires that systems handling and transmitting confidential medical records mus...

Страница 32: ...easily be cleared by pressing the Clear button Someone who has physical access to the switch may be able to erase the passwords andpossiblyconfigurenewpasswords andtake control of the switch As a result of increased security concerns customers now have the ability to stop someone from removing passwords by disabling the Clear and or Reset buttons on the front of the switch 2 8 ...

Страница 33: ... Test Clear Reset Fan Status 4 5 1 13 12 11 10 9 8 7 6 Spd mode off 10 Mbps flash 100 Mbps on 1000 Mbps 1 Power Fault hp procurve switch 2650 J4899A 1 2 3 Spd Lnk Act FDx Figure 2 4 Example Front Panel Button Locations Clear Button Pressing the Clear button alone for one second resets the password s con figured on the switch Reset Clear Figure 2 5 Press the Clear Button for One Second To Reset the...

Страница 34: ...ress and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration Youcanalsousethe Resetbuttontogether withtheClearbutton Reset Clear to restore the factory default configuration for the switch To do this 1 Press and hold the Reset button Reset Clear 2 While holding the Reset button press and hold the Clear button Reset Clear 2 10 ...

Страница 35: ...e Reset button and wait for about one second for the Self Test LED to start flashing Reset Clear Self Test 4 When the Self Test LED begins flashing release the Clear button Reset Clear Self Test This process restores the switch configuration to the factory default settings 2 11 ...

Страница 36: ...e or re enable Password Recovery Syntax show front panel security Displays the current front panel security settings Clear Password Shows the status of the Clear button on the front panel of the switch Enabled means that pressing the Clear button erases the local usernames and passwords configured on the switch and thus removes local password protection from the switch Disabled means that pressing...

Страница 37: ...e default front panel security settings Figure 2 7 The Default Front Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch s Front Panel Syntax no front panel security password clear In the factory default configuration pressing the Clear button on the switch s front panel erases any local usernames and passwords configured on the switch This command disab...

Страница 38: ...n the switch s front panel In this case the Show command does not include the reset on clear status because it is inoperable while theClearPasswordfunctionalityisdisabled and mustbereconfiguredwheneverClearPassword is re enabled Figure 2 8 Example of Disabling the Clear Button and Displaying the New Configuration 2 14 ...

Страница 39: ...disabled use this syntax no front panel security password clear reset on clear To enable password clear with reset on clear also enabled use this syntax front panel security password clear reset on clear Either form of the command enables password clear Note If you disable password clear and also disable the password recovery option you can still recover from a lost password by using the Reset Cle...

Страница 40: ... combination to replace the switch s current configu ration with the factory default configuration and render the switch acces sible without the need to input a username or password You can use the factory reset command to prevent the Reset Clear combination from being used for this purpose Syntax no front panel security factory reset Disables or re enables the following functions associated with ...

Страница 41: ...er Care Center to acquire a one time use password Disabling or Re Enabling the Password Recovery Process Disabling the password recovery process means that the only method for recovering from a lost manager username if configured and password is to reset the switch to its factory default configuration which removes any nondefault configuration settings C a u t i o n Disabling password recovery req...

Страница 42: ...iguration Note To disable password recovery Youmusthavephysicalaccesstothefrontpaneloftheswitch The factory reset parameter must be enabled the default Default Enabled Steps for Disabling Password Recovery 1 Set the CLI to the global interface context 2 Use show front panel security to determine whether the factory reset parameter is enabled If it is disabled use the front panel security factory r...

Страница 43: ...witch from the network to prevent unauthorized access and other problems while it is being reconfigured To use the password recovery option to recover a lost password 1 Note the switch s base MAC address It is shown on the label located on the upper right front corner of the switch 2 Contact your HP Customer Care Center for further assistance Using the switch s MAC address the HP Customer Care Cen...

Страница 44: ...Configuring Username and Password Security Front Panel Security This page is intentionally unused 2 20 ...

Страница 45: ...AC Authentication 3 12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication 3 14 Configuring the Switch To Access a RADIUS Server 3 15 Configuring Web Authentication on the Switch 3 17 Overview 3 17 Configure the Switch for Web Based Authentication 3 18 Configuring MAC Authentication on the Switch 3 22 Overview 3 22 Configure the Switch for MAC Based Authenticatio...

Страница 46: ...tions where introduc ing supplicant software is not an attractive option Both methods rely on using a RADIUS server for authentication This simplifies access security manage ment by allowing you to control access from a master database in a single server You can use up to three RADIUS servers to provide backups in case access to the primary server fails It also means the same credentials can be us...

Страница 47: ...thentication type on a port This means that Web authentication MAC authentication 802 1X MAC lockdown MAC lockout and port security are mutually exclusive on a given port Also LACP must be disabled on ports configured for any of these authentication methods Client Options Web Auth and MAC Auth provide a port based solution in which a port can belong to one untagged VLAN at a time However where all...

Страница 48: ...us are provided when using Web Authentication You can use the RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client When a RADIUS server authenticates a client the switch port membership during the client s connection is determined according to the following hierarchy 1 A RADIUS assigned VLAN 2 An authorized VLAN specified in the Web or MAC Auth configurati...

Страница 49: ...eceive no network access or limited network access as defined by the System Administrator Web based Authentication When a client connects to a Web Auth enabled port communication is redi rected to the switch A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials Figure 3 1 Example of User Login Screen The temporary IP address pool...

Страница 50: ...then for the duration of the client session the port belongs to the authorized VLAN auth vid if configured and temporarily drops all other VLAN memberships 3 If neither 1 or 2 above apply but the port is an untagged member of a statically configured port based VLAN then the port remains in this VLAN 4 If neither 1 2 or 3 above apply then the client session does not have access to any statically co...

Страница 51: ... to provide access to specific guest network resources If no VLAN is assigned to unauthenticated clients the port is blocked and no network access is available Should another client success fully authenticate through that port any unauthenticated clients on the unauth vid are dropped from the port MAC based Authentication When a client connects to a MAC Auth enabled port traffic is blocked The swi...

Страница 52: ... At the end of the session the port returns to its pre authentication state Any changes to the port s VLAN memberships made while it is an authenticated port take affect at the end of the session A client may not be authenticated due to invalid credentials or a RADIUS server timeout The server timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timi...

Страница 53: ...roper credentials MAC address or username and password before being allowed access to the network CHAP Challenge Handshake Authentication Protocol Also known as CHAP RADIUS Client In this application an end node device such as a management station workstation or mobile PC linked to the switch through a point to point LAN link Redirect URL A System Administrator specified web page presented to an a...

Страница 54: ...ort this misconfiguration does not allow Web or MAC Authentication to occur VLANs If your LAN does not use multiple VLANs then you do not need to configure VLAN assignments in your RADIUS server or considerusing either Authorized orUnauthorized VLANs Ifyour LAN does use multiple VLANs then some of the following factors may apply to your use of Web Auth and MAC Auth Web Auth and MAC Auth operate on...

Страница 55: ...clients in either category to access must be available on those VLANs Where a given port s configuration includes an unauthorized client VLAN assignment the port will allow an unauthenticated client session only while there are no requests for an authenticated client session on that port In this case if there is a successful request for authentication from an authorized client the switch terminate...

Страница 56: ... Do These Steps Before You Configure Web MAC Authentication 1 Configure a local username and password on the switch for both the Operator login and Manager enable access levels While this is not required for a Web or MAC based configuration HP recommends that you use a local user name and password pair at least until your other security measures are in place to protect the switch configuration fro...

Страница 57: ...e either 100 or vlan100 to specify the VLAN 4 Determine whether to use the optional Unauthorized VLAN mode for clients that the RADIUS server does not authenticate This VLAN must be statically configured on the switch If you do not configure an Unautho rized VLAN the switch simply blocks access to unauthenticated clients trying to use the port 5 Determine the authentication policy you want on the ...

Страница 58: ...y access The switch provides four format options aabbccddeeff the default format aabbcc ddeeff aa bb cc dd ee ff aa bb cc dd ee ff Note on MAC Letters in MAC addresses must be in lowercase Addresses If the device is a switch or other VLAN capable device use the base MAC address assigned to the device and not the MAC address assigned to the VLAN through which the device communicates with the authen...

Страница 59: ...tication and Account ing Syntax no radius server host ip address Adds a server to the RADIUS configuration or with no deletes a server from the configuration You can config ure up to three RADIUS server addresses The switch uses the first server it successfully accesses Refer to RADIUS Authentication and Accounting on page 5 1 key global key string Specifies the global encryption key the switch us...

Страница 60: ...ncryption key above The no form of the command removes the key configured for a specific server For example to configure the switch to access a RADIUS server at IP address 192 168 32 11 using a server specific shared secret key of 2Pzo22 HPswitch config radius server host 192 168 32 11 key 2Pzo22 HPswitch config show radius S tatus and Counters General RADIUS Information Deadtime min 0 Timeout sec...

Страница 61: ...ents can access the redirect URL 4 Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support Web Auth on the switch 5 Configure the switch with the correct IP address and encryption key to access the RADIUS server 6 Configure the switch for Web Auth a Configure Web Authentication on the switch ports you want...

Страница 62: ...aaa port access web based e port list 3 19 auth vid 3 19 client limit 3 19 client moves 3 20 logoff period 3 20 max requests 3 20 max retries 3 20 quiet period 3 21 reauth period 3 21 reauthenticate 3 21 redirect url 3 21 server timeout 3 21 ssl login 3 22 unauth vid 3 22 Syntax aaa port access web based dhcp addr ip address mask Specifies the base address mask for the temporary IP pool used by DH...

Страница 63: ...form of the command to disable web based authentication on the specified ports Syntax aaa port access web based e port list auth vid vid no aaa port access web based e port list auth vid Specifies the VLAN to use for an authorized client The Radius server can override the value accept response includes a vid If auth vid is 0 no VLAN changes occur unless the RADIUS server supplies one Use the no fo...

Страница 64: ...o moves allowed Syntax aaa port access web based e port list logoff period 60 9999999 Specifies the period in seconds that the switch enforces for an implicit logoff This parameter is equivalent to the MAC age interval in a traditional switch sense If the switch does not see activity after a logoff period interval the client is returned to its pre authentication state Default 300 seconds Syntax aa...

Страница 65: ... attached clients on the port Syntax aaa port access web based e port list redirect url url no aaa port access web based e port list redirect url Specifies the URL that a user is redirected to after a successful login Any valid fully formed URL may be used for example http welcome server welcome htm or http 192 22 17 5 HP recommends that you provide a redirect URL when using Web Authentication Use...

Страница 66: ...pecifies the VLAN to use for a client that fails authen tication If unauth vid is 0 no VLAN changes occur Use the no form of the command to set the unauth vid to 0 Default 0 Configuring MAC Authentication on the Switch This feature is available only on the Series 2600 2600 PWR and 2800 Switches Overview 1 If you have not already done so configure a local username and password pair on the switch 2 ...

Страница 67: ...ormat 3 23 no aaa port access mac based e port list 3 24 addr limit 3 24 addr moves 3 24 auth vid 3 24 logoff period 3 24 max requests 3 25 quiet period 3 25 reauth period 3 25 reauthenticate 3 25 server timeout 3 25 unauth vid 3 25 Syntax aaa port access mac based addr format no delimiter single dash multi dash multi colon Specifies the MAC address format to be used in the RADIUS request message ...

Страница 68: ...ws addresses to move without requiring a re authentica tion When disabled the switch does not allow moves and when one does occur the user will be forced to re authenticate At least two ports from port s and to port s must be specified Use the no form of the command to disable MAC address moves between ports under MAC Auth control Default disabled no moves allowed Syntax aaa port access mac based ...

Страница 69: ...econds the switch should wait before attempting an authentication request for a MAC address that failed authentication Default 60 seconds Syntax aaaport accessmac based e port list reauth period 0 9999999 Specifies the time period in seconds the switch enforces on a client to re authenticate When set to 0 reauthentication is disabled Default 300 seconds Syntax aaa port access mac based e port list...

Страница 70: ...ow port access port list web based config detail 3 27 Syntax show port access port list web based Shows the status of all Web Authentication enabled ports or the specified ports The number of authorized and unauthorized clients is listed for each port as well as its current VLAN ID Ports without Web Authenti cation enabled are not listed Syntax show port access port list web based clients Shows th...

Страница 71: ...th server Shows Web Authentication settings for all ports or the specified ports along with the RADIUS server specific settings for the timeout wait the number of timeout failures before authentication fails and the length of time between authentication requests Syntax show port access port list web based config web server Shows Web Authentication settings for all ports or the specified ports alon...

Страница 72: ...rent VLAN ID Ports without MAC Authenti cation enabled are not listed Syntax show port access port list mac based clients Shows the port address MAC address session status and elapsed session time for attached clients on all ports or the specified ports Ports with multiple clients have an entry for each attached client Ports without any attached clients are not listed Syntax show port access port ...

Страница 73: ...ts or the specified ports along with the Radius server specific settings for the timeout wait the number of timeout failures before authentication fails and the length of time between authentication requests Syntax show port access port list mac based config detail Shows all MAC Authentication settings including the Radius server specific settings for the specified ports 3 29 ...

Страница 74: ...RADIUS Server difficulties See log file 3 If unauth vid is specified it cannot be successfully applied to the port An authorized client on the port has precedence rejected unauth vlan Unauthorized VLAN only 1 Invalid credentials supplied 2 RADIUS Server difficulties See log file timed out no vlan No network access RADIUS request timed out If unauth vid is specified it cannot be successfully applie...

Страница 75: ...tication Configuration 4 9 Viewing the Switch s Current TACACS Server Contact Configuration 4 10 Configuring the Switch s Authentication Methods 4 11 Configuring the Switch s TACACS Server Access 4 15 How Authentication Operates 4 20 General Authentication Process Using a TACACS Server 4 20 Local Authentication Process 4 22 Using the Encryption Key 4 23 Controlling Web Browser Interface Access Whe...

Страница 76: ...for TACACS Operation Terminal A Directly Accessing the Switch Via Switch s Console Port Terminal B Remotely Accessing The Switch Via Telnet A Primary TACACS Server The switch passes the login requestsfromterminalsAandB to the TACACS server for authentication The TACACS server determines whether to allow access to the switch and what privilege level to allow for a given access request Access Reques...

Страница 77: ... access server or terminal server These terms apply when TACACS is enabled on the switch that is when the switch is TACACS aware TACACS Server The server or management station configured as an access control server for TACACS enabled devices To use TACACS with the switch and any other TACACS capable devices in your network you must purchase install and configure a TACACS server application on a ne...

Страница 78: ...on local authentication refer to Configuring Username and Password Security on page 2 1 TACACS Authentication This method enables you to use a TACACS server in your network to assign a unique password user name and privilege level to each individual or group who needs access to one or more switches or other TACACS aware devices This allows you to administer primary authentication from a central se...

Страница 79: ... use a TACACS server application that supports a redundant backup installation This allows you to configure the switch to use a backup TACACS server if it loses access to the first choice TACACS server TACACS does not affect web browser interface access Refer to Controlling Web Browser Interface Access When Using TACACS Authentication on page 4 24 General Authentication Setup Procedure It is impor...

Страница 80: ...ne which server is your first choice for authentication services The encryption key if any for allowingtheswitchtocommunicate with the server You can use either a global key or a server specific key depending on the encryption configuration in the TACACS server s The number of log in attempts you will allow before closing a log in session Default 3 The period you want the switch to wait for a repl...

Страница 81: ...the correct local username and password for Manager access If the switch cannot find any designated TACACS servers the local manager and operator username password pairs are always used as the secondary access control method You should ensure that the switch has a local Manager password Other wise if authentication through a TACACS server fails for any reason then unauthorized access will be avail...

Страница 82: ...a that could affect the console access 9 When you are confident that TACACS access through both Telnet and the switch s console operates properly use the write memory command to save the switch s running config file to flash memory Configuring TACACS on the Switch BeforeYou Begin If you are new to TACACS authentication HP recommends that you read the General Authentication Setup Procedure on page ...

Страница 83: ...rent Authentication Configuration This command lists the number of login attempts the switch allows in a single login session and the primary secondary access methods configured for each type of access Syntax show authentication This example shows the default authentication configuration Configuration for login and enable access to the switch through the switch console port Configuration for login...

Страница 84: ...CS servers the switch can contact Syntax show tacacs For example if the switch was configured for a first choice and two backup TACACS server addresses the default timeout period and paris 1 for a global encryption key show tacacs would produce a listing similar to the following First Choice TACACS Server Second Choice TACACS Server Third Choice TACACS Server Figure 4 3 Example of the Switch s TAC...

Страница 85: ...thentication console telnet Selects either console serial port or Telnet access for configuration enable login Selects either the Manager enable or Operator login access level local tacacs radius Selects the type of security access local Authenticates with the Manager and Operator password you configure in the switch tacacs Authenticates with a password and other data configured on a TACACS server...

Страница 86: ...assword pair configured locally in the switch for the privilege level being configured none No secondary type of authentication for the specified method privilege path Available only if the primary method of authentication for the access being configured is local Note If you do not specify this parameter in the command line the switch automatically assigns the secondary method as follows If the pr...

Страница 87: ...ocal level of username password protection Caution Regarding the Use of Local for Login Primary Access During local authentication which uses passwords configured in the switch instead of in a TACACS server the switch grants read only access if you enter the Operator password and read write access if you enter the Manager password For example if you configure authentication on the switch with Teln...

Страница 88: ...sing TACACS server Secondary using Local HPswitch config aaa authentication console enable tacacs local Telnet Login Operator or Read Only Access Primary using TACACS server Secondary using Local HPswitch config aaa authentication Telnet login tacacs local Telnet Enable Manager or Read Write Access Primary using TACACS server Secondary using Local HPswitch config aaa authentication telnet enable t...

Страница 89: ...encryption keys you can configure the switch to use different encryp tion keys for different TACACS servers The timeout value in seconds for attempts to contact a TACACS server If the switch sends an authentication request but does not receive a response within the period specified by the timeout value the switch resends the request to the next server in its Server IP Addr list if any If the switc...

Страница 90: ...period for a TACACS server response Default 5 seconds Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS servers the switch will attempt to use for authentication If you configure a global encryption key the switch uses it only with servers for which you have not also configured a server specific key Thus a global key is more useful where the TACAC...

Страница 91: ...r 2 When there is one TACACS serves already configured entering another server IP address makes that server the second choice backup TACACS server 3 When there are two TACACS servers already configured entering another server IP address makes that server the third choice backup TACACS server The above position assignments are fixed Thus if you remove one server and replace it with another the new ...

Страница 92: ...does not detect a response within the timeout period it initiates a new request to the next TACACS server in the list If all TACACS servers in the list fail to respond within the timeout period the switch uses either local authentication if configured or denies access if none configured for local authentication Adding Removing or Changing the Priority of a TACACS Server Suppose that the switch was...

Страница 93: ... key then the authentication attempt will fail Use a global encryption key if the same key applies to all TACACS servers the switch may use for authentication attempts Use a per server encryption key if different servers the switch may use will have different keys For more details on encryption keys see Using the Encryption Key on page 4 23 To configure north01 as a global encryption key HPswitch ...

Страница 94: ... response to an authentication request from a TACACS server before either sending a new request to the next server in the switch s Server IP Address list or using the local authentication option For example to change the timeout period from 5 seconds the default to 3 seconds HPswitch config tacacs server timeout 3 How Authentication Operates General Authentication Process Using a TACACS Server Aut...

Страница 95: ...er receives the username input the requesting terminal receives a password prompt from the server via the switch 4 When the requesting terminal responds to the prompt with a password the switch forwards it to the TACACS server and one of the following actions occurs If the username password pair received from the requesting terminal matches a username password pair previously stored in the server ...

Страница 96: ...ables only local password configuration If the operator at the requesting terminal correctly enters the user name password pair for either access level access is granted Iftheusername passwordpairenteredattherequestingterminaldoes not match either username password pair previously configured locally in the switch access is denied In this case the terminal is again prompted to enter a username pass...

Страница 97: ...communication between the switch and the TACACS server will fail Thus on the TACACS server side you have a choice as to how to implement a key On the switch side it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server For information on how to configure a general or individual key in the TACACS server refer to the documentation you received with the...

Страница 98: ...cacs server host 10 28 227 87 key south10campus With both of the above keys configured in the switch the south10campus key overrides the north40campus key only when the switch tries to access the TACACS server having the 10 28 227 87 address Controlling Web Browser Interface Access When Using TACACS Authentication Configuring the switch for TACACS authentication does not affect web browser interfa...

Страница 99: ... match the username password pair configured in the switch No Tacacs servers TheswitchhasnotbeenabletocontactanydesignatedTACACS servers Ifthismessage is followed by the Username prompt the switch is attempting local authentication responding Not legal combination of authentication methods For console access if you select tacacs as the primary authentication method you must selectlocalastheseconda...

Страница 100: ... enabled on the switch or when the switch s only designated TACACS servers are not accessible setting a local Operator password without also setting a local Manager password does not protect the switch from manager level access by unautho rized persons 4 26 ...

Страница 101: ...ure the Switch To Access a RADIUS Server 5 10 3 Configure the Switch s Global RADIUS Parameters 5 12 Local Authentication Process 5 16 Controlling Web Browser Interface Access When Using RADIUS Authentication 5 17 Configuring RADIUS Accounting 5 17 Operating Rules for RADIUS Accounting 5 19 Steps for Configuring RADIUS Accounting 5 19 Viewing RADIUS Statistics 5 25 General RADIUS Statistics 5 25 R...

Страница 102: ...switch specific passwords to all users For accounting this can help you track network resource usage Authentication You can use RADIUS to verify user identity for the follow ing types of primary password access to the HP switch Serial port Console Telnet SSH Port Access Note The switch does not support RADIUS security for SNMP network manage ment access or web browser interface access For steps to...

Страница 103: ...ccess Server In this case an HP switch configured for RADIUS security operation RADIUS Remote Authentication Dial In User Service RADIUS Client The device that passes user information to designated RADIUS servers RADIUS Host See RADIUS server RADIUS Server A server running the RADIUS application you are using on your network This server receives user connection requests from the switch authenticat...

Страница 104: ...hich they are listed by showradius page 5 25 If the first server does not respond the switch tries the next one and so on To change the order in which the switch accesses RADIUS servers refer to Changing RADIUS Server Access Order on page 5 29 YoucanselectRADIUSastheprimaryauthenticationmethodforeach type of access Only one primary and one secondary access method is allowed for each access type In...

Страница 105: ...on requests to a specific RADIUS server select it before beginning the configuration process If you need to replace the default UDP destination port 1813 the switch uses for accounting requests to a specific Radius server select it before beginning the configuration process Determine whether you can use one global encryption key for all RADIUS servers or if unique keys will be required for specifi...

Страница 106: ... key global key string 5 12 radius server timeout 1 15 5 12 radius server retransmit 1 5 5 12 no radius server dead time 1 1440 5 14 show radius 5 25 host ip address 5 25 show authentication 5 27 show radius authentication 5 27 Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication 1 Configure RADIUS authentication for controlling...

Страница 107: ...ault 5 seconds range 1 to 15 seconds Retransmit Attempts Thenumberofretrieswhenthereisnoserver response to a RADIUS authentication request Default 3 range of 1 to 5 Server Dead Time The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request This avoids a wait for a request to time out on a server that is unavaila...

Страница 108: ...hentication method for the above access methods You will also need to select either local or none as a secondary or backup method Note that for console access if you configure radius or tacacs for primary authentication you must configure local for the secondary method This prevents the possibility of being com pletely locked out of the switch in the event that all primary access methods fail Synt...

Страница 109: ...d be the switch s local passwords The switch now allows Telnet and SSH authentication only through Figure 5 2 Example Configuration for RADIUS Authentication Note In the above example if you configure the Login Primary method as local instead of radius and local passwords are configured on the switch then you can gain access to either the Operator or Manager level without encountering the RADIUS a...

Страница 110: ...ts to the specified RADIUS server host If you do not use this option with the radius server host command the switch automatically assigns the default authentication port number The auth port number must match its server counterpart Default 1812 acct port port number Optional Changes the UDP destination port for account ing requests to the specified RADIUS server If you do not use this option with ...

Страница 111: ...119 Figure 5 3 Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5 3 you would do the following Changes the key for the existing server to source0127 Adds the new RADIUS server with its required source0119 key Lists the switch s new RADIUS server configuration Compare this with Figure 5 4 Sample Configuration for RAD...

Страница 112: ...S servers for which there is not a server specific key configured by radius server host ip address key key string This key is optional if you configure a server specific key for each RADIUS server entered in the switch Refer to 2 Configure the Switch To Access a RADIUS Server on page 5 10 Server timeout Defines the time period in seconds for authentica tion attempts If the timeout period expires b...

Страница 113: ...arlier authentication attempt Default 0 Range 1 1440 minutes radius server timeout 1 15 Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure Default 3 seconds Range 1 15 seconds radius server retransmit 1 5 If a RADIUS server fails to respond to an authentica tion request specifies how many retries to attempt before closin...

Страница 114: ...ion parameters Allow only two tries to correctly enter username and password Use the global encryption key to support the two servers that use the same key For this example assume that you did not configure these two servers with a server specific key Use a dead time of five minutes for a server that fails to respond to an authentication request Allow three seconds for request timeouts Allow two r...

Страница 115: ...or password entry errors the switch will terminate the session Global RADIUS parameters from figure 5 5 These two servers will use the global encryption key Server specific encryption key for the RADIUS server that will not use the global encryption key Figure 5 6 Listings of Global RADIUS Parameters Configured In Figure 5 5 5 15 ...

Страница 116: ...requesting terminal correctly enters the user name password pair for either access level Operator or Manager access is granted on the basis of which username password pair was used For example suppose you configure Telnet primary access for RADIUS and Telnet secondary access for local If a RADIUS access attempt fails then you can still get access to either the Operator or Manager level of the swit...

Страница 117: ...ame and password on the switch Configure the switch s Authorized IP Manager feature to allow web browser access only from authorized management stations The Authorized IP Manager feature does not interfere with TACACS operation Disable web browser access to the switch Configuring RADIUS Accounting RADIUS Accounting Commands Page no radius server host ip address 5 20 acct port port number 5 20 key ...

Страница 118: ...e Acct Terminate Cause Acct Authentic Acct Delay Time Acct Input Packets Acct Output Packets Acct Input Octets Nas Port Acct Output Octets Acct Session Time Username Service Type NAS IP Address NAS Identifier Called Station Id For 802 1X information for the switch refer to Configuring Port Based Access Control 802 1X on page 8 1 Exec accounting Provides records holding the information listed below...

Страница 119: ...er will not be accessed For more on this topic refer to Changing RADIUS Server Access Order on page 5 29 If access to a RADIUS server fails during a session but after the client has been authenticated the switch continues to assume the server is availabletoreceiveaccountingdata Thus ifserveraccessfailsduring a session it will not receive accounting data transmitted from the switch Steps for Config...

Страница 120: ...er for sending accounting reports to a RADIUS server At session start and stop or only at session stop 3 Optional Configure session blocking and interim updating options Updating Periodically update the accounting data for sessions in progress Suppress accounting Block the accounting session for any unknown user with no username access to the switch 1 Configure the Switch To Access a RADIUS Server...

Страница 121: ... key must match the encryption key used on the RADIUS server Use this command only if the specified server requires a different encryption key than configured for the global encryption key For a more complete description of the radius server command and its options turn to page 5 10 For example suppose you want to the switch to use the RADIUS server described below for both authentication and acco...

Страница 122: ... Reports to the RADIUS Server Select the Accounting Type s Exec Useexecifyouwanttocollectaccountinginformationonlogin sessions on the switch via the console Telnet or SSH See also Accounting on page 5 2 System Use system if you want to collect accounting data when A system boot or reload occurs System accounting is turned on or off Note that there is no time span associated with using the system o...

Страница 123: ... the latest data the switch has collected for the requested accounting type Network Exec or System Do not wait for an acknowledgment Thesystemoption page5 22 alwaysdeliversstop onlyoperationbecause the switchsendsthe accumulated data only whenthere is a reboot reload or accounting on off event Syntax no aaa accounting exec network system start stop stop only radius Configures RADIUS accounting typ...

Страница 124: ...a accounting update periodic 1 525600 Sets the accounting update period for all accounting ses sions on the switch The no form disables the update function and resets the value to zero Default zero dis abled Syntax no aaa accounting suppress null username Disables accounting for unknown users having no user name Default suppression disabled To continue the example in figure 5 8 suppose that you wa...

Страница 125: ...ver IP addresses Optional form shows data for a specific RADIUS host To use showradius the server s IP address must be configured in the switch which requires prior use of the radius server host command See Configuring RADIUS Accounting on page 5 17 Figure 5 10 Example of General RADIUS Information from Show Radius Command Figure 5 11 RADIUS Server Information From the Show Radius Host Command 5 2...

Страница 126: ...t as well as a timeout Malformed Responses The number of malformed RADIUS Accounting Response packets received from this server Malformed packets include packets with an invalid length Bad authenticators and unknown types are not included as malformed accounting responses Bad Authenticators The number of RADIUS Accounting Response packets which contained invalid authenticators received from this s...

Страница 127: ...ntly allowed in a session show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch s interactions with this server Requires prior use of the radius server host command to configure a RADIUS server IP address in the switch See Configuring RADIUS Accounting on page 5 17 Figure 5 12 Example of Login Attempt and Primary Secondary Authentication Informa...

Страница 128: ...ng types methods and modes show radius accounting Lists accounting statistics for the RADIUS server s config ured in the switch using the radius server host command show accounting sessions Lists the accounting sessions currently active on the switch Figure 5 14 Listing the Accounting Configuration in the Switch Figure 5 15 Example of RADIUS Accounting Information for a Specific Server 5 28 ...

Страница 129: ...e listed in the order in which you entered them However if you subsequently remove the second server address in the list and add a new server address the new address will be placed second in the list Thus to move a server address up in the list you must delete it from the list ensure that the position to which you want to move it is vacant and then re enterit Forexample supposeyouhavealreadyconfig...

Страница 130: ...position in the list 3 Re enter 10 10 10 003 Because the switch places a newly entered address in the highest available position this address becomes first in the list 4 Re enter 10 10 10 001 Because the only positionopen is the thirdposition this address becomes last in the list Removes the 003 and 001 addresses from the RADIUS server list Inserts the 003 address in the first position in the RADI...

Страница 131: ...configured to receive an authentication request from the switch No server s responding The switch is configured for and attempting RADIUS authentication however it is not receiving a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that...

Страница 132: ...RADIUS Authentication and Accounting Messages Related to RADIUS Operation This page is intentionally unused 5 32 ...

Страница 133: ...ration 6 9 1 Assigning a Local Login Operator and Enable Manager Password 6 9 2 Generating the Switch s Public and Private Key Pair 6 10 3 Providing the Switch s Public Key to Clients 6 12 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior 6 15 5 Configuring the Switch for SSH Authentication 6 18 6 Use an SSH Client To Access the Switch 6 21 Further Information on SSH Client...

Страница 134: ...SSHprovidesTelnet likefunctionsbut unlikeTelnet SSHprovidesencrypted authenticated transactions The authentication types include Client public key authentication Switch SSH and user password authentication Client Public Key Authentication Login Operator Level with User Password Authentication Enable Manager Level This option uses one or more public keys from clients that must be stored on the swit...

Страница 135: ...tored locally on the switch or on a TACACS or RADIUS server However the client does not use a key to authenticate itself to the switch HP Switch SSH Server SSH Client Work Station 1 Switch to Client SSH 2 User to Switch login password and enable password authentication options Local TACACS Figure 6 2 Switch User Authentication SSH on the HP ProCurve switches covered in this guide supports these da...

Страница 136: ...opying A private key generated by an SSH client applica tion is typically stored in a file on the client device and together with its public key counterpart can be copied and stored on multiple devices Public Key An internally generated counterpart to a private key A device s public key is used to authenticate the device to other devices Enable Level Manager privileges on the switch Login Level Op...

Страница 137: ... or import keys Public Key Formats Any client application you use for client public key authentication with the switch must have the capability export public keys The switch can accept keys in the PEM Encoded ASCII Format or in the Non Encoded ASCII format Comment describing public key identity Beginning of actual SSHv2 public key in PEM Encoded ASCII format Figure 6 3 Example of Public Key in PEM...

Страница 138: ...es local or none ssh enable radius Yes No Yes local or none 1 For ssh login public key the switch uses client public key authentication instead of the switch password options for primary authentication The general steps for configuring SSH include A Client Preparation 1 Install an SSH client application on a management station you want to use for access to the switch Refer to the documentation pro...

Страница 139: ...dary authentication methods you want the switch to use In all cases the switch will use its host public key to authenticate itself when initiating an SSH session with a client SSH Login Operator options Option A Primary Local TACACS or RADIUS password Secondary Local password or none Option B Primary Client public key authentication login public key page 6 21 Secondary Local password or none Note ...

Страница 140: ...ou should avoid re generating the key pair without a compelling reason Otherwise you will have to re introduce the switch s public key on all management stations clients you previously set up for SSH access to the switch In some situations this can temporarily allow security breaches On HP ProCurve switches that support stacking when stacking is enabled SSH provides security only between an SSH cl...

Страница 141: ...acs radius public key local none enable tacacs radius local local none copy tftp pub key file tftp server IP public key file clear crypto client public key keylist str 6 14 6 21 6 11 6 16 6 16 6 16 6 16 6 16 6 18 6 20 6 18 6 18 6 18 6 24 6 25 1 Assigning a Local Login Operator and Enable Manager Password At a minimum HP recommends that you always assign at least a Manager password to the switch Ot...

Страница 142: ...ash memory and only the public key in this pair is readable The public key should be added to a known hosts file for example HOME ssh known_hosts on UNIX systems on the SSH clients which should have access to the switch Some SSH client appli cations automatically add the switch spublic key to a knownhosts file Other SSH applications require you to manually create a known hosts file and place the s...

Страница 143: ...ny active SSH sessions will continue to run unless explicitly terminated with the CLI kill command To Generate or Erase the Switch s Public Private RSA Host Key Pair Because the host key pair is stored in flash instead of the running config file it is not necessary to use write memory to save the key pair Erasing the key pair automatically disables SSH Syntax crypto key generate ssh rsa Generates ...

Страница 144: ...r version 1 keys the three numeric values bit size exponent e and modulus n must match for PEM keys only the PEM encoded string itself must match Notes Zeroizing the switch s key automatically disables SSH sets ip ssh to no Thus if you zeroize the key and then generate a new key you must also re enable SSH with the ip ssh command before the switch can resume SSH operation 3 Providing the Switch s ...

Страница 145: ...e of a Public Key Generated by the Switch The generated public key on the switch is always 896 bits With a direct serial connection from a management station to the switch 1 Use a terminal application such as HyperTerminal to display the switch s public key with the show crypto host public key command figure 6 6 2 Bring up the SSH client s known host file in a text editor such as Notepad as straig...

Страница 146: ...eed to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client s known hosts file Non encoded ASCII numeric string Requires a client ability to display the keys in the known hosts file in the ASCII format This method is tedious and error prone due to the length of the keys See figure 6 8 on page 6 13 Phonetic hash Out...

Страница 147: ...he switch always uses ASCII version without babble or fingerprint conversion of its public key for file storage and default display format 4 Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients After you enable SSH the switch can authenticate itself to S...

Страница 148: ...e switch You can remove this possibility by directly connecting the management station to the switch s serial port using a show command to display the switch s public key and copying the key from the display into a file This requires a knowledge of where your client stores public keys plus the knowledge of what key editing and file format might be required by your client application However if you...

Страница 149: ...ts Note on Port HP recommends using the default TCP port number 22 However you can Number use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes Examples of reserved IP ports are 23 Telnet and 80 http Some other reserved TCP ports on the HP ProCurve switches are 49 80 1506 and 1513 The switch uses these five settings internally for transactions with cl...

Страница 150: ... which removes local password protection keepphysical access to the switch restricted to authorized personnel 5 Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch s public key by an SSH client However only Option B page 6 19 results in the switch also authenticating the client s public key Also for a more detailed discussion o...

Страница 151: ... switch This means that before you can use this option you must 1 Create a key pair on an SSH client 2 Copy the client s public key into a public key file which can contain up to ten client public keys 3 Copy the public key file into a TFTP server accessible to the switch and download the file to the switch For more on these topics refer to Further Information on SSH Client Public Key Authenticati...

Страница 152: ...itch For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client Keys pub For Manager level enable access for successful SSH clients you want to use TACACS for primary password authentication and local for secondary password authenti cation with a Manager username of 1eader and a password of m0ns00n To set up this operation you would c...

Страница 153: ... Figure 6 12 6 Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch If you have problems refer to RADIUS Related Problems in the Troubleshooting chapter of the Manage ment and Configuration Guide for your switch Further Information on SSH Client Public Key Authentication The section title...

Страница 154: ...vide a utility to generate a key pair The private key is usually stored in a password protected file on the local host the public key is stored in another file and is not protected Note that even without using client public key authentication you can still require authentication from whoever attempts to access the switch from an SSH client by employing the local username password TACACS or RADIUS ...

Страница 155: ...ile into the switch Note that the switch can hold 10 keys The new key is appended to the client public key file 4 Use the aaa authentication ssh command to enable client public key authentication To Create a Client Public Key Text File These steps describe how to copy client public keys into the switch for RSA challenge response authenti cation and require an understanding of how to use your SSH c...

Страница 156: ... placing a client public key into a Word for Windows text file and clicking on File Properties Statistics lets you view the number of characters in the file including spaces 2 Copy the client s public key into a text file filename txt For example you can use the Notepad editor included with the Microsoft Windows software If you want several clients to use client public key authentica tion copy a p...

Страница 157: ...anted to copy a client public key file named clientkeys txt from a TFTP server at 10 38 252 195 and then display the file contents Key Index Number Figure 6 15 Example of Copying and Displaying a Client Public Key File Containing Two Client Public Keys Replacing or Clearing the Public Key File The client public key file remains in the switch s flash memory even if you erase the startup config file...

Страница 158: ...ntication ssh login public key none Allows SSH client access only if the switch detects a match between the client s public key and an entry in the client public key file most recently copied into the switch aaa authentication ssh login public key local Allows SSH client access if there is a public key match see above or if the client s user enters the switch s login Oper ator password With login ...

Страница 159: ...ber See Note on Port Number on page 6 17 Client public key file corrupt or The client key does not exist in the switch Use copy not found Use copy tftp pub key tftp to download the key from a TFTP server file ip addr filename to down load new file Download failed overlength key in The public key file you are trying to download has one of the key file following problems A key in the file is too lon...

Страница 160: ...o two minutes After you execute the crypto key generate ssh rsa command the switch displays this message while it is generating the key Host RSA key file corrupt or not found Use crypto key generate ssh rsa to create new host key The switch s key is missing or corrupt Use the crypto key generate ssh rsa command to generate a new key for the switch 6 28 ...

Страница 161: ...ch and Client Authentication 7 5 General Operating Rules and Notes 7 6 Configuring the Switch for SSL Operation 7 7 1 Assigning a Local Login Operator and Enable Manager Password 7 7 2 Generating the Switch s Server Host Certificate 7 9 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior 7 17 Common Errors in SSL setup 7 21 7 1 ...

Страница 162: ...herwise noted SSL provides all the web functions but unlike standard web access SSL provides encrypted authenticated transactions The authentication type includes server certificate authentication with user password authentication Note SSL in HP Procurve switches is based on the OpenSSL software toolkit For more information on OpenSSL visit http www openssl com Server Certificate authentication wi...

Страница 163: ... otherwise noted Terminology SSL Server An HP switch with SSL enabled Key Pair Public private pair of RSA keys generated by switch of which public portion makes up part of server host certificate and private portion is stored in switch flash not user accessible Digital Certificate A certificate is an electronic passport that is used to establish the credentials of the subject to which the certific...

Страница 164: ...ned certificates Trusted certificates are distributed as an integral part of most popular web clients see browser documentation for which root certificates are pre installed Manager Level Manager privileges on the switch Operator Level Operator privileges on the switch Local password or username A Manager level or Operator level password configured in the switch SSL Enabled 1 A certificate key pai...

Страница 165: ...ality See the browser documentation for addi tional details B Switch Preparation 1 Assign a login Operator and enable Manager password on the switch page 7 7 2 Generate a host certificate on the switch page 7 9 i Generate certificate key pair ii Generate host certificate You need to do this only once The switch s own public private certificate key pair and certificate are stored in the switch s fl...

Страница 166: ...aches The switch s own public private certificate key pair and certificate are stored in the switch s flash memory and are not affected by reboots or the erase startup config command The public private certificate key pair is not be confused with the SSH public private key pair The certificate key pair and the SSH key pair are independent of each other which means a switch can have two keys pairs ...

Страница 167: ...cert rsa 512 768 1024 zeroize cert crypto host cert generate self signed arg list zeroize page 7 19 page 7 19 page 7 12 page 7 10 page 7 10 page 7 10 page 7 10 1 Assigning a Local Login Operator and Enable Manager Password At a minimum HP recommends that you always assign at least a Manager password to the switch Otherwise under some circumstances anyone with Telnet web or serial port access could...

Страница 168: ...gement and Configuration Guide for your switch Password Button Security Tab Figure 7 2 Example of Configuring Local Passwords 1 Proceed to the security tab and select device passwords button 2 Click in the appropriate box in the Device Passwords window and enter user names and passwords You will be required to repeat the password strings in the confirmation boxes Both the user names and passwords ...

Страница 169: ... and digitally signed by the switch Since self signed certificates are not signed by a third party certificate authority there is no audit trail to a root CA certificate and no fool proof means of verifying authenticity of certificate The second type is a certificate authority signed certificate which is digitally signed by a certificate authority has an audit trail to a root CA certificate and ca...

Страница 170: ...e for the switch If a switch certificate already exists replaces it with a new certificate See the Note on page 7 9 crypto host cert zeroize Erases the switch s host certificate and disables SSL opera tion To generate a host certificate from the CLI i Generate a certificate key pair This is done with the crypto key generate cert command The default key size is 512 Note If a certificate key pair is...

Страница 171: ...ress or domain name associated with the switch Your web browser may warn you if this field does not match the URL entered into the web browser when accessing the switch Organization This is the name of the entity e g company where the switch is in service Organizational This is the name of the sub entity e g department where the switch is in service Unit City or location This is the name of the ci...

Страница 172: ...ew key and server certificate you must also re enable SSL with the web management ssl command before the switch can resume SSL operation CLI Command to view host certificates Syntax show crypto host cert Displays switch s host certificate To view the current host certificate from the CLI you use the show crypto host cert command For example to display the new server host certificate Show host cert...

Страница 173: ...wcertificatekeypairand self signed CA signed certificate The right half displays information on the currently installed certificate ii Select the Create Certificate Certificate Request radio button iii Select Self Signed in the Certificate Type drop down list iv Select the RSA Key Size desired If you want to re use the current certificate key select Current from this list v Fill in the remaining c...

Страница 174: ...browsers inter face Security Tab SSL button Certificate Type Box Key Size Selection Certificate Arguments Create Certificate Button Figure 7 5 Self Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface 1 Proceed to the Security tab 2 Then the SSL button 7 14 ...

Страница 175: ...ate Generate a CA Signed server host certificate with the Web Browser Interface This section describes how to install a CA Signed server host certificate from the web browser interface For more information on how to access the web browser interface refer to the chapter titled Using the HP Web Browser Interface in the Management and Configuration Guide for your switch 7 15 ...

Страница 176: ...b then the SSL button ii Select the Create Certificate Certificate Request radio button iii Select Create CA Request from the Certificate Type drop down list iv Select the key size from the RSA Key Size drop down list If you want to re use the current certificate key select Current from this list v Fill in the remaining certificate arguments Refer to Comments on Certificate Fields on page 7 11 vi ...

Страница 177: ...IGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0 aMcXgVruVixw xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH BAIwADANBgkqhkiG9w0B Figure 7 7 Example of a Certificate Request and Reply 3 Enabling SSL on the Switch and Anticipating SSL Brows...

Страница 178: ...cate chain of the switch server certificate up to the root certificate installed in the browser thus authenticating the switch unequivocally As long as you are confident that an unauthorized device is not using the switch s IP address in an attempt to gain access to your data or network you can accept the connection Note When an SSL client connects to the switch for the first time it is possible f...

Страница 179: ...rating the Switch s Server Host Certificate on page 7 9 2 Execute the web management ssl command To disable SSL on the switch do either of the following Execute no web management ssl Zeroize the switch s host certificate or certificate key page 7 10 Using the web browser interface to enable SSL To enable SSL on the switch i Proceed to the Security tab then the SSL button ii Select SSL Enable to on...

Страница 180: ...on the switch are 49 80 1506 and 1513 Caution SSL does not protect the switch from unauthorized access via the Telnet SNMP or the serial port While Telnet access can be restricted by the use of passwords local to the switch if you are unsure of the security this provides youmaywanttodisableTelnetaccess notelnet IfyouneedtoincreaseSNMP security use SNMP version 3 only for SNMP access Another securi...

Страница 181: ...ser interface You have not generated a host certificate Refer to Generate a Self Signed Host Certificate with the Web browser interface on page 7 13 You may be using a reserved TCP port Refer to Note on Port Number on page 7 20 Unable to Connect with SSL You may not have SSL enabled Refer to 3 Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior on page 7 17 Your browser may no...

Страница 182: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup This page is intentionally unused 7 22 ...

Страница 183: ...hentication on the Switch 8 13 Configuring Switch Ports as 802 1X Authenticators 8 15 1 Enable 802 1X Authentication on Selected Ports 8 15 3 Configure the 802 1X Authentication Method 8 19 4 Enter the RADIUS Host IP Address es 8 20 5 Enable 802 1X Authentication on the Switch 8 20 802 1X Open VLAN Mode 8 21 Introduction 8 21 Use Models for 802 1X Open VLAN Modes 8 22 Operating Rules for Authorize...

Страница 184: ... to Other Switches 8 34 Displaying 802 1X Configuration Statistics and Counters 8 38 Show Commands for Port Access Authenticator 8 38 Viewing 802 1X Open VLAN Mode Status 8 40 Show Commands for Port Access Supplicant 8 43 How RADIUS 802 1X Authentication Affects VLAN Operation 8 44 Messages Related to 802 1X Operation 8 48 8 2 ...

Страница 185: ...rk to unauthorized use and malicious attacks While access to the network should be made easy uncontrolled and unauthorized access is usually not desirable 802 1X provides access control along with the ability to control user profiles from a central RADIUS server while allowing users access from multiple points within the network General Features 802 1X on the HP ProCurve switches covered in this m...

Страница 186: ...vers to provide backups in case access to the primary server fails It also means a user can enter the same username and password pair for authentication regardless of which switch is the access point into the LAN Note that you can also configure 802 1X for authentication through the switch s local username and password instead of a RADIUS server but doing so increases the administrative burden dec...

Страница 187: ...upplicant SwitchRunning802 1Xand Connected as a Supplicant Switch Running 802 1X and Operating as an Authenticator Figure 8 1 Example of an 802 1X Application Accounting The switch also provides RADIUS Network accounting for 802 1X access Refer to RADIUS Authentication and Accounting on page 5 1 8 5 ...

Страница 188: ...ient 4 The switch responds in one of the following ways If 802 1X port access on the switch is configured for RADIUS authentication the switch then forwards the request to a RADIUS server i The server responds with an access challenge which the switch forwards to the client ii The client then provides identifying credentials such as a user certificate which the switch forwards to the RADIUS server...

Страница 189: ...ets it does not receive a response it assumes that switch B is not 802 1X aware and transitions to the authenticated state If switch B is operating properly and is not 802 1X aware then the link should begin functioning normally but without 802 1X security If after sending one or more start packets port A1 receives a request packet from port B5 then switch B is operating as an 802 1X authenticator...

Страница 190: ...figured VLAN memberships or any VLAN member ships that may be assigned during the RADIUS authentication process While an 802 1X port is a member of this VLAN the port is untagged When the client connection terminates the port drops its membership in this VLAN Authentication Server The entity providing an authentication service to the switch when the switch is configured to operate as an authentica...

Страница 191: ...usly If a client connected to the port has an operating system that supports 802 1q VLAN tagging then the client can access VLANs for which the port is a tagged member If the client does not support VLAN tagging then it can access only a VLAN for which the port is an untagged member A port can be an untagged member of only one VLAN at a time 802 1X Open VLAN mode does not affect a port s tagged VL...

Страница 192: ...cted to another device rebooting the switch causes a re authentication of the link When a port on the switch is configured as an authenticator it will block access to a client that either does not provide the proper authentication credentials or is not 802 1X aware You can use the optional 802 1X Open VLAN mode to open a path for downloading 802 1X supplicant software to a client which enables the...

Страница 193: ...ion is successful the port becomes unblocked Similarly if the supplicant is authenticated and later the port becomes a trunk member the port will be blocked If the port is then removed from the trunk it tries to re authenticate the supplicant If successful the port becomes unblocked To help maintain security 802 1X and LACP cannot both be enabled on the same port If you try to configure 802 1X on ...

Страница 194: ...ot 802 1X aware that is for clients that are not running 802 1X supplicant software This will require you to provide download able software that the client can use to enable an authentication session For more on this topic refer to 802 1X Open VLAN Mode on page 8 21 4 For each port you want to operate as a supplicant determine a username and password pair You can either use the same pair for each ...

Страница 195: ...itiate an authenti cation session enable the 802 1X Open VLAN mode on the ports you want to support this feature Refer to page 8 21 3 Configure the 802 1X authentication type Options include Local Operator username and password the default This option allows a client to use the switch s local username and password as valid 802 1X credentials for network access EAP RADIUS This option requires your ...

Страница 196: ... 1X operation and if desired the action to take if an unauthorized device attempts access through an 802 1X port See page 8 32 8 If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802 1X authenticator on another device then configure the supplicant operation Refer to Configuring Switch Ports To Operate As Supplicants for 802 1X Connections to Ot...

Страница 197: ...arn mode port access 8 32 802 1X Open VLAN Mode Commands 8 21 802 1X Supplicant Commands 8 34 802 1X Related Show Commands 8 38 RADIUS server configuration 8 20 1 Enable 802 1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802 1X authenticators for point to point links to 802 1X aware clients or switches Actual 802 1X operation does not commence ...

Страница 198: ...default The device connected to the port must support 802 1X authentication and provide valid credentials in order to get network access You have the option of using the Open VLAN mode to provide a path for clients without 802 1X supplicant software to download this software and begin the authentication process Refer to 802 1X Open VLAN Mode on page 8 21 unauthorized Also termed Force Unauthorized...

Страница 199: ...ut before authentication fails and the authenti cation session ends If you are using the Local authen tication option or are using RADIUS authentication with only one host server the switch will not start another session until a client tries a new access attempt If you are using RADIUS authentication with two or three host servers the switch will open a session with each server in turn until authe...

Страница 200: ...bound traffic and restarts the 802 1X authentication process This happens only on ports configured with controlauto and actively operating as 802 1X authenticators Note If a specified port is configured with control authorized and port security and the port has learned an authorized address the port will remove this address and learn a new one from the first packet it receives reauthenticate Force...

Страница 201: ...DIUS authentication to use local Use the switch s local username and password for supplicant authentication eap radius Use EAP RADIUS authentication Refer to the documentation for your RADIUS server chap radius Use CHAP RADIUS MD 5 authentication Refer to the documentation for your RADIUS server appli cation For example to enable the switch to perform 802 1X authentication using one or more EAP ca...

Страница 202: ... authentication or accounting sessions with the spec ified server This key must match the key used on the RADIUS server Use this option only if the specified server requires a different key than configured for the global encryption key radius server key global key string Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server specif...

Страница 203: ...computer not running 802 1X supplicant software could not be authenticated on a port protected by 802 1X access security As a result the port would become blocked and the client could not access the network This prevented the client from Acquiring IP addressing from a DHCP server Downloading the 802 1X supplicant software necessary for an authen tication session The 802 1X Open VLAN mode solves th...

Страница 204: ...ve then it operates as an untagged member of that VLAN while the client is connected When the client disconnects the port reverts to tagged membership in the VLAN Use Models for 802 1X Open VLAN Modes You can apply the 802 1X Open VLAN mode in more than one way Depending on your use you will need to create one or two static VLANs on the switch for exclusive use by per port 802 1X Open VLAN mode au...

Страница 205: ... the port is a member of the Unauthorized Client VLAN Authorized Client VLAN After the client is authenticated the port drops membership in the Unauthorized Client VLAN and becomes an untagged member of this VLAN Note if RADIUS authentication assigns a VLAN the port temporarily becomes a member of the RADIUS assigned VLAN instead of the Authorized Client VLAN while the client is connected If the p...

Страница 206: ...authentication This happens even if the RADIUS server assigns theporttoanother authorizedVLAN Notethatiftheportisalready configured as a tagged member of a VLAN that RADIUS assigns as an authorized VLAN then the port becomes an untagged member of that VLAN for the duration of the client connection After the client disconnects the port returns to tagged membership in that VLAN Open VLAN Mode with O...

Страница 207: ...port drops these assignments and uses the untagged VLAN memberships for which it is statically configured After client authentication the port resumes any tagged VLAN memberships for which it is already configured For details refer to the Note on page 8 22 TemporaryVLANMembershipDuring Port membership in a VLAN assigned to operate as the a Client Session Effect of Unauthorized Client VLAN session ...

Страница 208: ... of unauthenticated clients Effect of Failed Client Authentication When there is an Unauthorized Client VLAN configured on an 802 1X Attempt authenticator port an unauthorized client connected to the port has access only to the network resources belonging to the Unauthorized Client VLAN This access continues until the client disconnects from the port If there is no Unauthorized Client VLAN configu...

Страница 209: ...ports do not have to be members of this VLAN Note that if an 802 1X authenticator port is an untagged member of another VLAN the port s access to that other VLAN will be temporarily removed while an authenticated client is connected to the port For example if i Port A5 is an untagged member of VLAN 1 the default VLAN ii You configure port A5 as an 802 1X authenticator port iii You configure port A...

Страница 210: ...X VLAN operation 1 Enable 802 1X authentication on the individual ports you want to serve as authenticators The switch automatically disables LACP on the ports on which you enable 802 1X On the ports you will use as authenticators with VLAN operation ensure that the default port control parameter is set to auto Refer to 1 Enable 802 1X Authentication on Selected Ports on page 8 15 This setting req...

Страница 211: ... server specific key This key is optional if all RADIUS server addresses configured in the switch include a server specific encryption key 4 Activate authentication on the switch Syntax aaa port access authenticator active Activates 802 1X port access on ports you have config ured as authenticators 5 Test both the authorized and unauthorized access to your system to ensure that the 802 1X authenti...

Страница 212: ...he server is connected to a port on the Default VLAN The switch s default VLAN is already configured with an IP address of 10 28 127 100 and a network mask of 255 255 255 0 HPswitch config aaa authentication port access eap radius Configures the switch for 802 1X authentication using an EAP RADIUS server HPswitch config aaa port access authenticator a10 a20 Configures ports A10 A20 as 802 1 authen...

Страница 213: ... a tagged member of VLAN X that is not used as an Unauthorized Client Authorized Client or RADIUS assigned VLAN then the port returns to tagged membership in VLAN X upon successful client authentication This happens even if the RADIUS server assigns the port to another authorized VLAN Y Note that if RADIUS assigns VLAN X as an authorized VLAN then the port becomes an untagged member of VLAN X for ...

Страница 214: ...om this specific device is allowed on the port When this device logs off another 802 1X aware device can be authenticated on the port Syntax port security ethernet port list learn mode port access Configures port security on the specified port s to allow only the first 802 1X aware device the port detects action none send alarm send disable Configures the port s response in addition to blocking un...

Страница 215: ...t want authorized If this occurs you can block access by the unauthorized non 802 1X device by using one of the following options If 802 1X authentication is disabled on the port use these command syntaxes to enable it and allow only an 802 1X aware device aaa port access authenticator e port list Enables 802 1X authentication on the port aaa port access authenticator e port list control auto Forc...

Страница 216: ...02 1X Related Show Commands page 8 38 RADIUS server configuration pages 8 20 You can configure a switch port to operate as a supplicant in a connection to a port on another 802 1X aware switch to provide security on links between 802 1X aware switches Note that a port can operate as both an authenticator and a supplicant For example suppose that you want to connect two switches where Switch A has ...

Страница 217: ... and password 2 The RADIUS server then responds with an access challenge that switch B forwards to port A1 on switch A 3 Port A1 replies with a hash response based on its unique credentials Switch B forwards this response to the RADIUS server 4 The RADIUS server then analyzes the response and sends either a suc cess or failure packet back through switch B to port A1 A success response unblocks por...

Страница 218: ...execute this command without any other parameters After doing this you can use the command again with the following parameters to configure supplicant oper tion Use one instance of the command for each parameter you want to configure The no form disables supplicant operation on the designated port s identity username Sets the username and password to pass to the authen ticator port when a challeng...

Страница 219: ...e Default 3 held period 0 65535 Sets the time period the supplicant port waits after an active 802 1X session fails before trying to re acquire the authenticator port Default 60 seconds start period 1 300 Sets the time period between Start packet retransmis sions That is after a supplicant sends a start packet it waits during the start period for a response If no response comes during the start pe...

Страница 220: ...isplays whether port access authenticator is active Yes or No and the status of all ports configured for 802 1X authentication The Authenticator Backend State in this data refers to the switch s interaction with the authentication server With port list only same as above but limits port status to only the specified port Does not display data for a specified port that is not enabled as an authentic...

Страница 221: ...access authenticator is active The statistics of the ports configured as 802 1X authenticators including the supplicant s MAC address as determined by the content of the last EAPOL frame received on the port Does not display data for a specified port that is not enabled as an authenticator session counters e port list Shows Whether port access authenticator is active The session status on the spec...

Страница 222: ...ssumes that the port is not a statically configured member of VLAN 100 Items 1 through 3 indicate that an authenticated client is connected to port B2 1 Open in the Status column 2 Authorized in the Authenticator State column 3 The Auth VLAN ID 101 is also in the Current VLAN ID column This assumes that the port is not a statically configured member of VLAN 101 1 2 3 4 5 4 A 0 in the row for port ...

Страница 223: ...to allow network access to any connected device that supports 802 1X authentication and provides valid 802 1X credentials This is the default authenticator setting FA Configures the port for Force Authorized which allows access to any device connected to the port regardless of whether it meets 802 1X criteria You can still configure console Telnet or SSH security on the port FU Configures the port...

Страница 224: ...he static untagged VLAN to which the port currently belongs No PVID The port is not an untagged member of any VLAN Syntax show vlan vlan id Displays the port status for the selected VLAN including an indication of which port memberships have been temporarily overridden by Open VLAN mode Note that ports B1 and B3 are not in the upper listing but are included under Overridden Port VLAN configuration...

Страница 225: ...access supplicant e port list statistics Shows the port access statistics and source MAC address es for all ports or port list ports configured on the switch as supplicants See the Note on Suppli cant Statistics below Note on Supplicant Statistics For each port configured as a supplicant show port access supplicant statistics e port list displays the source MAC address and statistics for transacti...

Страница 226: ...ist or is a dynamic VLAN created by GVRP authentication fails Also for the session to proceed the port must be an untagged member of the required VLAN If it is not the switch temporarily reassigns the port as described below If the Port Used by the Client Is Not Configured as an Untagged Member of the Required Static VLAN When a client is authenticated on port N if port N is not already configured...

Страница 227: ... and Figure 8 7 Example of an Active VLAN Configuration In figure 8 7 if RADIUS authorizes an 802 1X client on port 2 with the requirement that the client use VLAN 22 then VLAN 22 becomes available as Untagged on port A2 for the duration of the session VLAN 33 becomes unavailable to port A2 for the duration of the session because there can be only one untagged VLAN on any port You can use the show...

Страница 228: ...ation for VLAN 22 Temporarily Changes for the 802 1X Session With the preceding in mind since static VLAN 33 is configured as untagged on port A2 see figure 8 7 and since a port can be untagged on only one VLAN port A2 loses access to VLAN 33 for the duration of the 802 1X session involving VLAN 22 You can verify the temporary loss of access to VLAN 33 with the show vlan 33 command Even though por...

Страница 229: ...3 on port A2 Figure 8 10 The Active Configuration for VLAN 33 Restores Port A2 After the 802 1X Session Ends Notes Any port VLAN ID changes you make on 802 1X aware ports during an 802 1X authenticated session do not take effect until the session ends With GVRP enabled a temporary untagged static VLAN assignment created on a port by 802 1X authentication is advertised as an existing VLAN If this t...

Страница 230: ...server s responding This message can appear if you configured the switch for EAP RADIUS or CHAP RADIUS authentication but the switch does not receive a response from a RADIUS server Ensure that the switch is configured to access at least one RADIUS server Use show radius If you also see the message Can t reach RADIUS server x x x x try the suggestions listed for that message page 5 31 LACP has bee...

Страница 231: ...ferences Between MAC Lockdown and Port Security 9 19 Deploying MAC Lockdown 9 21 MAC Lockout 9 25 Port Security and MAC Lockout 9 27 Web Displaying and Configuring Port Security Features 9 27 Reading Intrusion Alerts and Resetting Alert Flags 9 28 Notice of Security Violations 9 28 How the Intrusion Log Operates 9 29 Keeping the Intrusion Log Current by Resetting Alert Flags 9 29 Using the Event L...

Страница 232: ...orized to access the network through that port This enables individual ports to detect prevent and log attempts by unauthorized devices to communicate through the switch Note This feature does not prevent intruders from receiving broadcast and multi cast traffic Basic Operation Default Port Security Operation The default port security setting for each port is off or continuous That is any device c...

Страница 233: ...wed to send inbound traffic through the port This feature Closes the port to inbound traffic from any unauthorized devices that are connected to the port Provides the option for sending an SNMP trap notifying of an attempted security violation to a network management station and optionally disables the port For more on configuring the switch for SNMP management refer to Trap Receivers and Authenti...

Страница 234: ... are blocked from accessing switch A by the port security settings in switch A Switch C is not authorized to access Switch A Figure 9 1 Example of How Port Security Controls Access Note Broadcast and Multicast traffic is not unauthorized traffic and can be read by intruders connected to a port on which you have configured port security Trunk Group Exclusion Port security does not operate on either...

Страница 235: ...tects or not d For each port what security actions do you want The switch automatically blocks intruders detected on that port from transmit ting to the network You can configure the switch to 1 send intrusion alarms to an SNMP management station and to 2 option ally disable the port on which the intrusion was detected e How do you want to learn of the security violation attempts the switch detect...

Страница 236: ...ort security 9 11 port security 9 12 ethernet port list 9 12 learn mode address limit mac address action clear intrusion flag no port security 9 12 9 12 9 12 9 12 9 12 9 12 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses Note Use the global configuration level to execute port security configuration commands 9 6 ...

Страница 237: ...ddress limit That is if you enter fewer MAC addresses than you authorized the port fills the remainder of the address allowance with MAC addresses it automatically learns For example if you specify three authorized devices but enter only one authorized MAC address the port adds the one specifically authorized MAC address to its authorized devices list and the first two additional MAC addresses it ...

Страница 238: ...roCurve website Refer to Getting Documentation From the Web on page 1 9 Port Access Enables you to use Port Security with 802 1X Port Based Access Control Refer to Configuring Port Based Access Control 802 1X on page 8 1 address limit integer When Learn Mode is set to static static learn or configured static configured this parameter specifies the number of authorized devices MAC addresses to allo...

Страница 239: ...rm Causes the switch to send an SNMP trap to a network management station send disable Available only with learn mode configured and learn mode static Causes the switch to send an SNMP trap to a network management station and disable the port If you subsequently re enable the port without clearing the port s intrusion flag the port will block further intruders but the switch will not disable the p...

Страница 240: ...tartup config file to match the running config file Assigned Authorized MAC Addresses If you manually assign a MAC address using mac address mac addr and then execute write memory the assigned MAC address remains in memory unless removed by one of the methods described below Removing Learned and Assigned Static MAC Addresses To remove a static MAC address do one of the following Delete the address...

Страница 241: ...rity displays operating control settings for all ports on a switch For example Figure 9 2 Example Port Security Listing Ports A7 and A8 Show the Default Setting Withportnumbersincludedinthecommand showport securitydisplaysLearn Mode Address Limit alarm Action and Authorized Addresses for the spec ified ports on a switch The following example lists the full port security configuration for a single ...

Страница 242: ...ddr mac addr action none send alarm send disable clear intrusion flag For the configured option above refer to the Note on page 9 8 no port security port list mac address mac addr mac addr mac addr Specifying Authorized Devices and Intrusion Responses Learn Mode Static This example configures port A1 to automatically accept the first device MAC address it detects as the only authorized device for ...

Страница 243: ...Configured This option allows only MAC addresses specifi cally configured with learn mode configured mac address mac address and does not automatically learn non specified MAC addresses learned from the network This example configures port A1 to Allow only a MAC address of 0c0090 123456 as the authorized device Reserve the option for adding two more specified MAC addresses at a later time without ...

Страница 244: ...rity a1 mac address 0c0090 456456 After executing the above command the security configuration for port A1 appears as The Address Limit has been reached Figure 9 5 Example of Adding a Second Authorized Device to a Port Note The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list If you change aportfromstatic ...

Страница 245: ...thorized List for a Port Configured for Learn Mode Static This command option removes unwanted devices MAC addresses from the Authorized Addresses list An Authorized Address list is available for each port for which Learn Mode is currently set to Static See the MAC Address entry in the table on 9 8 Caution The address limit setting controls how many MAC addresses are allowed in the Authorized Addr...

Страница 246: ...me authorized If you use learn mode configured instead the switch cannot automatically add detected devices not included in the mac address configuration Refer to the Note on page 9 8 For example suppose port A1 is configured as shown below and you want to remove 0c0090 123456 from the Authorized Address list When removing 0c0090 123456 first reduce the Address Limit by 1 to prevent theportfromaut...

Страница 247: ...on movement and MAC address hijacking It also controls address learning on the switch When configured the MAC Address can only be used on the assigned port and the client device will only be allowed on the assigned VLAN Not e Port security and MAC Lockdown are mutually exclusive on a given port You can either use port security or MAC Lockdown but never both at the same time on the same port Syntax...

Страница 248: ...port of the intruder If the device computer PDA wireless device is moved to a different port on the switch by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch the port will detect that the MAC Address is not on the appropriate port and will continue to send traffic out the port to which the address wa...

Страница 249: ...ddress and a VLAN for lockdown MAC Lockdown on the other hand is not a list It is a global parameter on the switch that takes precedence over any other security mechanism The MAC Address will only be allowed to communicate using one specific port on the switch MAC Lockdown is a good replacement for port security to create tighter control over MAC addresses and which ports they are allowed to use o...

Страница 250: ... in the log file can be useful for troubleshooting problems If you are trying to connect a device which has been locked down to the wrong port it will not work but it will generate error messages like this to help you determine the problem Limiting the Frequency of Log Messages The first move attempt or intrusion is logged as you see in the example above Subsequent move attempts send a message to ...

Страница 251: ...s The purpose of using MAC Lockdown is to prevent a malicious user from hijacking an approved MAC address so they can steal data traffic being sent to that address As we have seen MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MA...

Страница 252: ...e Network Edge Provides Security Basic MAC Lockdown Deployment In the Model Network Topology shown above the switches that are connected to the edge of the network each have one and only one connection to the core network This means each switch has only one path by which data can travel to Server A You can use MAC Lockdown to specify that all traffic intended for Server A s MAC Address must go thr...

Страница 253: ...y traffic that is sent back to Server A will be sent to the proper MAC Address because MAC Lockdown has been used The switches at the edge will not send Server A s data packets anywhere but the port connected to Server A Data would not be allowed to go beyond the edge switches C a u t i o n Using MAC Lockdown still does not protect against a hijacker within the core In order to protect against som...

Страница 254: ...g down Server A to Switch 1 And when you remove the MAC Lockdown from Switch 1 to prevent broadcast storms or other connectivity issues you then open the network to security problems The use of MAC Lockdown as shown in the above figure would defeat the purpose of using STP or having an alternate path Technologies such as STP are primarily intended for an internal campus network environment in whic...

Страница 255: ... address will be dropped This means that all data packets addressed to or from the given address are stopped by the switch MAC Lockout is implemented on a per switch assignment You can think of MAC Lockout as a simple blacklist The MAC address is locked out on the switch and on all VLANs No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout To fully lock out a MAC a...

Страница 256: ... to lock Broadcast or Multicast Addresses Switches do not learn these Switch Agents The switch s own MAC Address If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file Lockout logging format W 10 30 03 21 35 15 maclock module A 0001e6 1f96c0 detected on port A15 W 10 30 03 21 35 18 maclock module A 0001e6 1f96c0 detected on port A15 W...

Страница 257: ...r MAC Addresses Be careful if you use both together however If a MAC Address is locked out and appears in a static learn table in port security the apparently authorized address will still be locked out anyway MACentryconfigurationssetbyportsecurity willbe keptevenifMAC Lockout is configured and the original port security settings will be honored once the Lockout is removed A port security static ...

Страница 258: ...iolation occurs on a port configured for Port Security the switch responds in the following ways to notify you The switch sets an alert flag for that port This flag remains set until You use either the CLI menu interface or web browser interface to reset the flag The switch is reset to its factory default configuration The switch enables notification of the intrusion through the following means In...

Страница 259: ...o or more entries for port 1 only the most recent entry has not been acknowledged by resetting the alert flag The other entries give you a history of past intrusions detected on port A1 Figure 9 13 Example of Multiple Intrusion Log Entries for the Same Port The log shows the most recent intrusion at the top of the listing You cannot delete Intrusion Log entries unless you reset the switch to its f...

Страница 260: ...her SNMP trap but will not become disabled again unless you first reset the port s intrusion flag This operation enables the port to continue passing traffic for authorized devices while you locate and eliminate the intruder Otherwise the presence of an intruder could cause the switch to repeatedly disable the port Menu Checking for Intrusions Listing Intrusion Alerts and Resetting Alert Flags The...

Страница 261: ...mple has also been previously reset The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected Note also that the prior to text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset 3 To acknowledge the mo...

Страница 262: ...on Alerts and Resetting Alert Flags provides a history of the last 20 intrusions detected by the switch resetting the alert flags does not change its content Thus displaying the Intrusion Log again will result in the same display as in figure 9 15 above 9 32 ...

Страница 263: ...Security on page 9 36 Syntax show interfaces brief List intrusion alert status and other port status informa tion show port security intrusion log List intrusion log content clear intrusion flags Clear intrusion flags on all ports port security e port number clear intrusion flag Clear the intrusion flag on one or more specific ports In the following example executing show interfaces brief lists th...

Страница 264: ...on records only when the log becomes full and new intrusions are subsequently added The prior to text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset To clear the intrusion from port A1 and enable the switch to enter any subsequentintrusionforportA1intheIntrusionLog executetheport security clear intru...

Страница 265: ...tion For example Log Listing with Security Violation Detected Log Listing with No Security Violation Detected Log Command with security for Search String Figure 9 19 Example of Log Listing With and Without Detected Security Violations From the Menu Interface In the Main Menu click on 4 Event Log and use Next page and Prev page to review the Event Log contents For More Event Log Information See Usi...

Страница 266: ...list Enter your PC or workstation s IP address in the switch s IP Autho rized Managers list See chapter 11 Using Authorized IP Managers Without both of the above configured the switch detects only the proxy server s MAC address and not your PC or workstation MAC address and interprets your connection as unauthorized Prior To Entries in the Intrusion Log If you reset the switch using the Reset butt...

Страница 267: ... notice that LACP is disabled on the port s and enables port security on that port For example HPswitch config port security e a17 learn mode static address limit 2 LACP has been disabled on secured port s HPswitch config The switch will not allow you to configure LACP on a port on which port security is enabled For example HPswitch config int e a17 lacp passive Error configuring port A17 LACP and...

Страница 268: ...Configuring and Monitoring Port Security Operating Notes for Port Security This page is intentionally unused 9 38 ...

Страница 269: ...00 PWR and 2800 Switches Contents Overview 10 2 Using Source Port Filters 10 4 Operating Rules for Source Port Filters 10 4 Configuring a Source Port Filter 10 5 Viewing a Source Port Filter 10 7 Filter Indexing 10 8 Editing a Source Port Filter 10 9 10 1 ...

Страница 270: ...utbound destination ports and trunks if any on the switch With routing disabled on the switch the default source port filtering can operate on traffic moving within the same VLAN With routing enabled on the switch source port filtering can operate on traffic moving between VLANs as well as within the same VLAN If you configure multinetting within a VLAN and enable routing on the switch you can use...

Страница 271: ... any source port to any destination port Refer to figures 10 1 and 10 2 Server A Port 7 Port 8 Server B Port 9 Server C Port 5 Workstation X Figure 10 1 Example of a Filter Blocking Traffic only from Port 5 to Server A This list shows the filter created to block drop traffic from sourceport5 workstation X to destination port 7 server A Notice that the filter allows traffic to move from source port...

Страница 272: ...or each physical port or port trunk on the switch Each source port filter you configure is composed of One source port or port trunk trk1 trk2 trk6 A set of destination ports and or port trunks that includes all LAN ports and port trunks on the switch An action for each destination port or port trunk When you create a source port filter the switch automatically sets the filter to forward traffic f...

Страница 273: ...ward traffic for the destinations in the destination port list Since forward is the default state for destinations in a filter this command is useful when destinations in an existing filter are configured for drop and you want to change them to forward Can be followed by the drop option if you have other destination ports set to forward that you want to change to drop For example filter source por...

Страница 274: ...onfiguration You must still explicitly con figure the filter on the port trunk If you use the show filter index command for a filter created before the related source port was added to a trunk the port number appears between asterisks indicating that the filter action has been suspended for that filter For example if you create a filter on port 5 then create a trunk with ports 5 and 6 and display ...

Страница 275: ...anolderfilterifaprevious source port filter deletion created a gap in the filter listing Filter Type Indicates the type of filter assigned to the IDX number Value Indicatestheportnumberorport trunknameofthesourceport or trunk assigned to the filter Use show filter to learn the index number of a specific filter you want to examine in more detail index Displays detailed data on the filter designated...

Страница 276: ...bers Figure 10 4 Example of Listing Filters and the Details of a Specific Filter Filter Indexing The switch automatically assigns each new source port filter to the lowest available index IDX number If there are no filters currently configured and you create three filters in succession they will have index numbers 1 3 However if you then delete the filter using index number 2 and then configure tw...

Страница 277: ...stination ports or trunks use the filter source port command to update the existing filter For example suppose you configure a filter to drop traffic received on port 8 and destined for ports 1 and 2 The resulting filter is shown on the left in figure 10 5 Later you update the filter to drop traffic received on port 8 and destined for ports 3 through 5 Since only one filter exists for a given sour...

Страница 278: ...Traffic Security Filters HP ProCurve Series 2600 2600 PWR and 2800 Switches Using Source Port Filters This page is intentionally unused 10 10 ...

Страница 279: ...and Configuring IP Authorized Managers 11 5 CLI Viewing and Configuring Authorized IP Managers 11 6 Web Configuring IP Authorized Managers 11 9 Building IP Masks 11 9 Configuring One Station Per Authorized Manager IP Entry 11 9 Configuring Multiple Stations Per Authorized Manager IP Entry 11 11 Additional Examples for Authorizing Multiple Stations 11 13 Operating Notes 11 13 11 1 ...

Страница 280: ...feature takes precedence over local passwords TACACS RADIUS Port Based Access Control 802 1X and Port Security This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking other access security features If the Authorized IP Managers feature disallows access to the device then access is denied Thus with auth...

Страница 281: ...our network s security by keeping physical access to the switch restricted to authorized personnel using the username password and other security features available in the switch and preventing unauthorized access to data on your management stations Access Levels Note The Authorized IP Manager feature can assign an access level to stations using Telnet SNMPv1 or SNMPv2c for switch access The acces...

Страница 282: ...entry for every station All stations in the group defined by the one Authorized Manager IP table entry and its associated IP mask will have the same access level Manager or Operator For more on this topic refer to Config uring Multiple Stations Per Authorized Manager IP Entry on page 11 11 To configure the switch for authorized manager access enter the appropriate Authorized Manager IP value speci...

Страница 283: ...ize four IP addresses for management station access The details on how to use IP masks are provided under Building IP Masks on page 11 9 Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch This mask serves a different purpose than IP subnet masks and is applied in a different manner Menu Viewing and Configuring IP Authorized Man...

Страница 284: ...Refer to the Note on page 11 3 Figure 11 2 Example of How To Add an Authorized Manager Entry Continued Editing or Deleting an Authorized Manager Entry Go to the IP Manag ers List screen figure 11 1 highlight the desired entry and press E for Edit or D for Delete CLI Viewing and Configuring Authorized IP Managers Authorized IP Managers Commands Used in This Section Command Page show ip authorized m...

Страница 285: ...r 255 255 255 0 10 28 227 0 through 255 Operator Configuring IP Authorized Managers for the Switch Syntax ip authorized managers ip address Configures one or more authorized IP addresses ip mask bits Configures the IP mask for ip address access operator manager Configures the privilege level for ip address Applies only to access through Telnet SNMPv1 and SNMPv2c Refer to the Note on page 11 3 To A...

Страница 286: ...ure 11 4 Example of Specifying an IP Authorized Manager with the Default Mask To Edit an Existing Manager Access Entry To change the mask or access level for an existing entry use the entry s IP address and enter the new value s Notice that any parameters not included in the command will be set to their default HPswitch config ip authorized managers 10 28 227 101 255 255 255 0 access operator The ...

Страница 287: ...rovided on the web browser screen Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask If you have ten or fewer management and or operator stations you can configure them quickly b...

Страница 288: ...4th Octet Manager Level or Operator Level Device Access IP Mask 255 255 255 255 The 255 in each octet of the mask specifies that only the exact value in that octet of the corresponding IP address is allowed This mask allows Authorized 10 28 227 125 management access only to a station having an IP address of 10 33 248 5 Manager IP 11 10 ...

Страница 289: ...tially authorized station must match the same bit in the IP address you entered in the Authorized Manager IP list Conversely if a bit in an octet of the mask is off set to 0 then the corresponding bit in the IP address of a potentially authorized station on the network does not have to match its counterpart in the IP address you entered in the Authorized Manager IP list Thus in the example shown a...

Страница 290: ...ed bits is allowed for the purposes of IP management station access to the switch Thus anymanagementstationhaving anIPaddress of 10 28 227 121 123 125 or 127 can access the switch 4th Octet of IP Mask 4th Octet of Authorized IP Address 249 5 Bit Numbers Bit Bit Bit Bit Bit Bit Bit Bit 7 6 5 4 3 2 1 0 Bit Values 128 64 32 16 8 4 2 1 4th Octet of IP Mask 249 4th Octet of IPAuthorized Address 125 Bit...

Страница 291: ...ting unauthorized access to data on your management stations Modem and Direct Console Access Configuring authorized IP managers does not protect against access to the switch through a modem or direct Console RS 232 port connection Duplicate IP Addresses If the IP address configured in an autho rized management station is also configured in another station the other station can gain management acce...

Страница 292: ... service for web access to the switch To do so add the IP address or DNS name of the switch to the non proxy or Exceptions list in the web browser interface you are using on the authorized station If you don t need proxy server access at all on the authorized station then just disable the proxy server feature in the station s web browser interface 11 14 ...

Страница 293: ...verview 11 1 precedence over other security 11 2 troubleshooting 11 13 certificate CA signed 7 4 root 7 4 self signed 7 4 Clear button to delete password protection 2 5 configuration port security 9 5 RADIUS See RADIUS SSH See SSH connection inactivity time 2 3 console for configuring authorized IP managers 11 5 D DES 6 3 7 3 disclaimer 1 ii duplicate IP address effect on authorized IP managers 11...

Страница 294: ...s control OpenSSH 6 3 OpenSSL 7 2 operating notes authorized IP managers 11 13 port security 9 36 operator password 2 2 2 4 2 5 P password authorized IP managers precedence 11 2 browser console access 2 3 case sensitive 2 4 caution 2 3 delete 2 5 deleting with the Clear button 2 5 if you lose the password 2 5 incorrect 2 3 length 2 4 operator only caution 2 3 pair 2 2 setting 2 4 password pair 2 2...

Страница 295: ... statistics 8 38 supplicant operation 8 8 supplicant operation switch port 8 7 supplicant state 8 43 supplicant statistics note 8 43 supplicant configuring 8 34 supplicant configuring switch port 8 36 supplicant enabling 8 35 switch username and password 8 4 terminology 8 8 troubleshooting gvrp 8 44 used with port security 8 32 VLAN operation 8 44 prior to 9 31 9 34 9 36 Privacy Enhanced Mode PEM ...

Страница 296: ...mmands 6 9 client behavior 6 15 6 16 client public key authentication 6 19 6 21 client public key clearing 6 25 client public key creating file 6 23 client public key displaying 6 25 configuring authentication 6 18 crypto key 6 11 disabling 6 11 enable 6 16 7 19 enabling 6 15 erase host key pair 6 11 generate host key pair 6 11 generating key pairs 6 10 host key pair 6 11 key babble 6 11 key finge...

Страница 297: ... models covered 1 2 T TACACS aaa parameters 4 12 authentication 4 3 authentication process 4 20 authentication local 4 22 authorized IP managers effect 4 25 authorized IP managers precedence 11 2 configuration authentication 4 11 configuration encryption key 4 19 configuration server access 4 15 configuration timeout 4 20 configuration viewing 4 10 encryption key 4 6 4 15 4 16 4 19 encryption key ...

Страница 298: ...5 blocked traffic 3 4 CHAP defined 3 9 usage 3 4 client status 3 30 configuration commands 3 18 configuring on the switch 3 17 switch for RADIUS access 3 15 features 3 4 general setup 3 12 LACP not allowed 3 11 redirect URL 3 9 rules of operation 3 10 show status and configuration 3 26 terminology 3 9 web browser interface for configuring port security 9 35 authorized IP managers 11 7 11 9 web bro...

Страница 299: ......

Страница 300: ... change without notice Copyright 2000 2004 Hewlett Packard Development Company L P Reproduction adaptation or translation without prior written permission is prohibited except as allowed under the copyright laws October 2004 Manual Part Number 5990 6024 ...

Отзывы:

Нет отзывов