Page 1 Access Security Guide ProCurve Series 2510G Switches Y.11.XX www.procurve.com...
Page 3 ProCurve Series 2510G Switches June 2008 Access Security Guide...
Page 4 OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit http:// www.openssh.com. SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit http://www.openssl.org.
Page 5: Table Of Contents
Contents Product Documentation About Your Switch Manual Set ........xi Feature Index .
Page 6 Front-Panel Security ..........2-7 When Security Is Important .
Page 7 General System Requirements ........4-5 General Authentication Setup Procedure .
Page 8 Enabling Authorization ........5-18 Displaying Authorization Information .
Page 9 7 Configuring Secure Socket Layer (SSL) Contents ............7-1 Overview .
Page 10 6. Optionally Resetting Authenticator Operation ....8-25 802.1X Open VLAN Mode ........8-26 Introduction .
Page 11 Web: Displaying and Configuring Port Security Features ... . . 9-28 Reading Intrusion Alerts and Resetting Alert Flags ....9-28 Notice of Security Violations .
Page 13: Product Documentation
ProCurve Networking website. This guide describes how to configure, manage, and monitor basic switch operation. ■ Advanced Traffic Management Guide - a PDF file on the ProCurve Networking website. This guide explains the configuration and operation of traffic management features such as spanning tree and VLANs.
Page 14: Feature Index
Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. Feature Management and Advanced Traffic Access Security Configuration Management Guide 802.1Q VLAN Tagging 802.1p Priority 802.1X Authentication Authorized IP Managers...
Page 15 Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide LLDP MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Multicast Filtering Network Management Applications (LLDP, SNMP) Passwords Ping Port Configuration Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q)
Page 16 Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide Syslog System Information TACACS+ Authentication Telnet Access TFTP Time Protocols (TimeP, SNTP) Troubleshooting VLANs Web-based Authentication Xmodem...
Page 17: Contents
Getting Started Contents Introduction ........... 1-2 Overview of Access Security Features .
Page 18: Getting Started
Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ProCurve Switch 2510G ■ For an overview of other product documentation for the above switches, refer to “Product Documentation”...
Page 19: Management Access Security Protection
Table 1-1 on page 1-4 provides an overview of the type of protection offered by each switch security feature. Note ProCurve recommends that you use local passwords together with your switch’s other security features to provide a more comprehensive security fabric than if you use only local passwords.
Page 20: General Switch Traffic Security Guidelines
Getting Started Overview of Access Security Features Table 1-1. Management Access Security Protection Security Feature Offers Protection Against Unauthorized Client Access to Offers Protection Switch Management Features Against Unauthorized Client Connection Telnet SNMP Access to the (Net Mgmt) Browser Client Network Local Manager and Operator PtP:...
Page 21: Conventions
Getting Started Conventions Conventions This guide uses the following conventions for command syntax and displayed information. Feature Descriptions by Model In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature.
Page 22: Command Prompts
Port Identity Examples This guide describes software applicable to both chassis-based and stackable ProCurve switches. Where port identities are needed in an example, this guide uses the chassis-based port identity system, such as “A1”, “B3 - B5”, “C7”, etc. However, unless otherwise noted, such examples apply equally to the stackable switches, which for port identities typically use only numbers, such as “1”, “3-5”, “15”, etc.
Page 23: Sources For More Information
For information on which product manual to consult on a given ■ software feature, refer to “Product Documentation” on page xi. Note For the latest version of all ProCurve switch documentation, including release notes covering recently added features, visit the ProCurve Networking Website at http://www.procurve.com/manuals, then select your switch product.
Page 24: Need Only A Quick Start
If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing.
Page 25: To Set Up And Install The Switch In Your Network
Interpreting LED behavior. ■ For the latest version of the Installation and Getting Started Guide and other documentation for your switch, visit the ProCurve Networking Web site. (Refer to “Product Documentation” on page xi of this guide for further details.)
Page 26 Getting Started Need Only a Quick Start? 1-10...
Page 27: Contents
Configuring Username and Password Security Contents Overview ............2-2 Configuring Local Password Security .
Page 28: Configuring Username And Password Security
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-6 Set a Password none page 2-4 page 2-5 page 2-6 Delete Password Protection page 2-4 page 2-6 page 2-6 Show front-panel-security — page 1-13 —...
Page 29 Configuring Username and Password Security Overview To configure password security: Set a Manager password pair (and an Operator password pair, if applicable for your system). Exit from the current console session. A Manager password pair will now be needed for full access to the console. If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password.
Page 30: Configuring Local Password Security
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the Web browser interface. From the Main Menu select: 3.
Page 31: Cli: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: Enter the console at the Manager level.
Page 32: Web: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following:...
Page 33: Front-Panel Security
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
Page 34: Front-Panel Button Functions
Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button.
Page 35 Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Page 36: Configuring Front-Panel Security
Configuring Username and Password Security Front-Panel Security Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Reset Clear Self Test When the Self-Test LED begins flashing, release the Clear button Reset Clear Self Test This process restores the switch configuration to the factory default settings.
Page 37 Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-9) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...
Page 38 Configuring Username and Password Security Front-Panel Security For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure 2-7. The Default Front-Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button...
Page 39 Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.
Page 40 Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on- clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina- tion described under “Restoring the Factory Default Configuration”...
Page 41: Password Recovery
(the default) on the switch prior to an attempt ■ to recover from a lost username/password situation ■ Contacting your ProCurve Customer Care Center to acquire a one-time- use password Disabling or Re-Enabling the Password Recovery Process Disabling the password recovery process means that the only method for...
Page 42 Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.
Page 43: Password Recovery Process
Contact your ProCurve Customer Care Center for further assistance. Using the switch’s MAC address, the ProCurve Customer Care Center will generate and provide a “one-time use” alternate password you can use with the to gain management access to the switch. Once you gain access, you can configure a new, known password.
Page 44 Configuring Username and Password Security Front-Panel Security N o t e The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time.
Page 45: Web And Mac Authentication
Web and MAC Authentication Contents Overview ............3-2 Client Options .
Page 46: Overview
Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-17 — Configure MAC Authentication — 3-22 — Display Web Authentication Status and Configuration — 3-26 — Display MAC Authentication Status and Configuration — 3-28 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.
Page 47: Client Options
Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is well- suited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.
Page 48: General Features
Web and MAC Authentication Overview General Features Web and MAC Authentication includes the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP (Challenge Handshake Authentication Protocol). Inbound traffic is processed by the switch alone, until authentication occurs.
Page 49: How Web And Mac Authentication Operate
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server.
Page 50 Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
Page 51 Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.
Page 52 Web and MAC Authentication How Web and MAC Authentication Operate If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
Page 53: Terminology
Authentication Server: The entity providing an authentication service to the switch, for example, a RADIUS server. Authenticator: In ProCurve switch applications, a device that requires a client or device to provide the proper credentials (MAC address, or username and password) before being allowed access to the network.
Page 54: Operating Rules And Notes
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port: • Web Authentication • MAC Authentication •...
Page 55 Web and MAC Authentication Operating Rules and Notes If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
Page 56: General Setup Procedure For Web/Mac Authentication
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, ProCurve recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Page 57 Web and MAC Authentication General Setup Procedure for Web/MAC Authentication If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client ses- sions.
Page 58: Additional Information For Configuring The Radius Server To Support Mac Authentication
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Additional Information for Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: ■...
Page 59: Configuring The Switch To Access A Radius Server
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius-server [host < p-address>] below [key < global-key-string >] below radius-server host < p-address> key <server-specific key-string> 3-16 This section describes the minimal commands for configuring a RADIUS server to support Web-Auth and MAC Auth.
Page 60 For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server-specific shared secret key of ‘2Pzo22’ ProCurve(config)# radius-server host 192.168.32.11 key 2Pzo22 ProCurve(config)# show radius Status and Counters - General RADIUS Information...
Page 61: Configuring Web Authentication
Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, Web browser behavior following authentication may not be acceptable.
Page 62: Configure The Switch For Web-Based Authentication
Web and MAC Authentication Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-18 aaa port-access web-based dhcp-lease 3-18 [no] aaa port-access web-based [e] < port-list > 3-19 [auth-vid] 3-19 [client-limit] 3-19 [client-moves] 3-19 [logoff-period]...
Page 63 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based [e] < port-list> Enables Web-based authentication on the specified ports. Use the no form of the command to disable Web- based authentication on the specified ports. Syntax: aaa port-access web-based [e] < port-list> [auth-vid <vid>] no aaa port-access web-based [e] <...
Page 64 Web and MAC Authentication Configuring Web Authentication aaa port-access web-based [e] < port-list > Syntax: [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
Page 65 Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentica- tion. Use the no form of the command to remove a specified redirect URL.
Page 66: Configuring Mac Authentication On The Switch
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [unauth-vid <vid>] no aaa port-access web-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen- tication.
Page 67: Configure The Switch For Mac-Based Authentication
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-23 [no] aaa port-access mac-based [e] < port-list > 3-23 [addr-limit] 3-24 [addr-moves] 3-24 [auth-vid] 3-24 [logoff-period] 3-24 [max-requests]...
Page 68 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control.
Page 69 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication. (Default: 60 seconds) Syntax: aaa port-access mac-based [e] <...
Page 70: Show Status And Configuration Of Web-Based Authentication
Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command Page port-list show port-access [ ] web-based 3-26 [clients] 3-26 [config] 3-26 [config [auth-server]] 3-27 [config [web-server]] 3-27 port-list show port-access web-based config detail 3-27 Syntax:...
Page 71 Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Page 72: Show Status And Configuration Of Mac-Based Authentication
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Show Status and Configuration of MAC-Based Authentication Command Page show port-access [port-list] mac-based 3-28 [clients] 3-28 [config] 3-28 [config [auth-server]] 3-29 show port-access port-list mac-based config detail 3-29 Syntax: show port-access [port-list] mac-based Shows the status of all MAC-Authentication enabled ports or the specified ports.
Page 73 Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [config [auth-server]] Shows MAC Authentication settings for all ports or the specified ports, along with the Radius server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Page 74: Show Client Status
Web and MAC Authentication Show Client Status Show Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated.
Page 75: Tacacs+ Authentication
TACACS+ Authentication Contents Overview ............4-2 Terminology Used in TACACS Applications: .
Page 76: Overview
(local access) or Telnet (remote access). A3 or Terminal “A” Directly ProCurve Switch Accessing the Switch Configured for A2 or Via Switch’s Console...
Page 77: Terminology Used In Tacacs+ Applications
TACACS+ Authentication Configuring TACACS+ on the Switch the switch first tries to contact a designated TACACS+ server for authentica- tion services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so.
Page 78 TACACS+ Authentication Configuring TACACS+ on the Switch • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or Web browser inter- face.
Page 79: General System Requirements
TACACS+ servers. Notes The effectiveness of TACACS+ security depends on correctly using your TACACS+ server application. For this reason, ProCurve recommends that you thoroughly test all TACACS+ configurations used in your network. TACACS-aware ProCurve switches include the capability of configuring multiple backup TACACS+ servers.
Page 80 TACACS+ Authentication Configuring TACACS+ on the Switch other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...
Page 81 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, ProCurve recom- mends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Page 82: Configuring Tacacs+ On The Switch
Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, ProCurve recommends that you read the “General Authentication Setup Procedure” on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch.
Page 83: Cli Commands Described In This Section
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication pages 4-11 through 4-15 console Telnet num-attempts <1-10 > tacacs-server pages 4-18 host < ip-addr > pages 4-18 4-22 timeout <...
Page 84: Viewing The Switch's Current Tacacs+ Server Contact Configuration
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. show tacacs Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a...
Page 85: Configuring The Switch's Authentication Methods
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures access control for the following access methods: ■ Console Telnet ■ ■ ■ ■ Web-based (port access) ■ Port-access (802.1X) However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods.
Page 86 TACACS+ Authentication Configuring TACACS+ on the Switch Command Syntax Syntax: aaa authentication < console | telnet | ssh | web | web-based | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level.
Page 87: Authentication Parameters
TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 4-1. AAA Authentication Parameters Name Default Range Function console, Telnet, Specifies the access method used when authenticating. TACACS+ SSH, web , port- authentication only uses the console, Telnet or SSH access methods. access, web- based port access...
Page 88 TACACS+ Authentication Configuring TACACS+ on the Switch As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
Page 89 The following examples illustrate the use of access options: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.
Page 90 The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. ProCurve(config)# aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa- bility.
Page 91 TACACS+ Authentication Configuring TACACS+ on the Switch Check the Privilege level box and set the privilege level to 15 to allow “root” privileges. This allows you to use the single login option. Figure 4-5. The Shell Section of the TACACS+ Server User Setup 4-17...
Page 92: Configuring The Switch's Tacacs+ Server Access
Note As described under “General Authentication Setup Procedure” on page 4-5, ProCurve recommends that you configure, test, and troubleshoot authentica- tion via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 93 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > key-string [key < >] Adds a TACACS+ server and optionally assigns a server- specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
Page 94 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-3. Details on Configuring TACACS Servers and Keys Name Default Range tacacs-server host <ip-addr> none This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key.
Page 95 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range [ key <key-string> ] none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
Page 96 To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key.
Page 97: How Authentication Operates
TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note The show tacacs command lists the global encryption key, if configured.
Page 98 TACACS+ Authentication Configuring TACACS+ on the Switch Terminal “A” Directly Accessing This First-Choice Switch Via Switch’s Console Port TACACS+ Server ProCurve Switch Configured for TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely Accessing This Switch Via Telnet ProCurve Switch...
Page 99: Local Authentication Process
TACACS+ Authentication Configuring TACACS+ on the Switch • If the username/password pair entered at the requesting terminal does not match a username/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a username and repeat steps 2 through 4. In the default configuration, the switch allows up to three attempts to authenticate a login session.
Page 100: Using The Encryption Key
TACACS+ Authentication Configuring TACACS+ on the Switch Note The switch’s menu allows you to configure only the local Operator and Manager passwords, and not any usernames. In this case, all prompts for local authentication will request only a local password. However, if you use the CLI or the Web browser interface to configure usernames for local access, you will see a prompt for both a local username and a local password during local authentication.
Page 101 Because this key is different than the one used for the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server: ProCurve(config)# tacacs-server host 10.28.227.87 key south10campus With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.
Page 102: Controlling Web Browser Interface Access When Using Tacacs+ Authentication
TACACS+ Authentication Configuring TACACS+ on the Switch Controlling Web Browser Interface Access When Using TACACS+ Authentication Configuring the switch for TACACS+ authentication does not affect Web browser interface access. To prevent unauthorized access through the Web browser interface, do one or more of the following: ■...
Page 103: Messages Related To Tacacs+ Operation
TACACS+ Authentication Configuring TACACS+ on the Switch Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.
Page 104: Operating Notes
TACACS+ Authentication Configuring TACACS+ on the Switch Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
Page 105 TACACS+ Authentication Configuring TACACS+ on the Switch 4-31...
Page 106 TACACS+ Authentication Configuring TACACS+ on the Switch 4-32...
Page 107: Radius Authentication, Authorization And Accounting
RADIUS Authentication, Authorization and Accounting Contents Overview ............5-2 Terminology .
Page 108: Overview
For accounting, this can help you track network resource usage. Authentication. You can use RADIUS to verify user identity for the follow- ing types of primary password access to the ProCurve switch: ■ Serial port (Console) ■...
Page 109: Terminology
EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.
Page 110: Switch Operating Rules For Radius
■ type of access. (Only one primary and one secondary access method is allowed for each access type.) In the ProCurve switch, EAP RADIUS uses MD5 and TLS to encrypt ■ a response to a challenge from a RADIUS server.
Page 111: General Radius Setup Procedure
RADIUS as the primary authentication method. Consider both Operator (login) and Manager (enable) levels, as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond. ProCurve> show authentication Status and Counters - Authentication Information Login Attempts : 3...
Page 112: Configuring The Switch For Radius Authentication
IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds).
Page 113: Outline Of The Steps For Configuring Radius Authentication
RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: Configure RADIUS authentication for controlling access through one or more of the following •...
Page 114: Configure Authentication For The Access Methods You Want Radius To Protect
RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled; range: 1 - 1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again.
Page 115 RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): ProCurve(config)# aaa authentication telnet login radius none ProCurve(config)# aaa authentication telnet enable radius none ProCurve(config)# aaa authentication ssh login radius none...
Page 116: Configure The Switch To Access A Radius Server
RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-25: “Configuring RADIUS Accounting”...
Page 117 RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.
Page 118: Configure The Switch's Global Radius Parameters
RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: Number of login attempts: In a given session, specifies how many ■...
Page 119 RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication num-attempts < 1 - 10 > Specifies how many tries for entering the correct user- name and password before shutting down the session due to input errors. (Default: 3; Range: 1 - 10). [no] radius-server key <...
Page 120 RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.
Page 121 RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication ProCurve# show authentication Status and Counters - Authentication Information After two attempts failing due Login Attempts : 2 to username or password Respect Privilege : Disabled entry errors, the switch will terminate the session.
Page 122: Local Authentication Process
RADIUS Authentication, Authorization and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
Page 123: Controlling Web Browser Interface Access When Using Radius Authentication
RADIUS Authentication, Authorization and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication To prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch.
Page 124: Enabling Authorization
The NAS does not request authorization information. For example, to enable the RADIUS protocol as the authorization method: ProCurve(config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes —the command list and the command exception flag.
Page 125: Displaying Authorization Information
Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa- tion.
Page 126 RADIUS Authentication, Authorization and Accounting Commands Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below. HP-Command-String HP-Command-Exception Description Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server.
Page 127: Example Configuration On Cisco Secure Acs For Ms Windows
RADIUS Authentication, Authorization and Accounting Commands Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface.
Page 128 RADIUS Authentication, Authorization and Accounting Commands Authorization [Hp-Command-Exception] Type=INTEGER Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils>...
Page 129 RADIUS Authentication, Authorization and Accounting Commands Authorization HKEY_LOCAL_MACHINE\software\cisco\CiscoAAAv3.2\ CSRadius\ExtensionPoints\002\AssociatedWithVendors Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes.
Page 130 RADIUS Authentication, Authorization and Accounting Commands Authorization dictionary.hp As posted to the list by User <user_email> Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR # HP Extensions ATTRIBUTE Hp-Command-String string ATTRIBUTE Hp-Command-Exception integer # Hp-Command-Exception Attribute Values VALUE Hp-Command-Exception Permit-List VALUE Hp-Command-Exception Deny-List...
Page 131: Configuring Radius Accounting
RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-28 [acct-port < port-number >] 5-28 [key < key-string >] 5-28 [no] aaa accounting < exec | network | system > 5-31 <...
Page 132 RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Note This section assumes you have already: Configured RADIUS authentication on the switch for one or more ■ access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure” on page 5-5 before continuing here.
Page 133: Operating Rules For Radius Accounting
RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, refer to the documentation provided with your RADIUS server.
Page 134 RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig- nating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server.
Page 135 RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server.
Page 136: Reports To The Radius Server
RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.
Page 137 RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Start-Stop: ■ • Send a start record accounting notice at the beginning of the account- ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).
Page 138 RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. Updates: In addition to using a Start-Stop or Stop-Only trigger, you ■ can optionally configure the switch to send periodic accounting record updates to a RADIUS server.
Page 139: Viewing Radius Statistics
RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
Page 140 RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Figure 5-12. RADIUS Server Information From the Show Radius Host Command Table 5-2. Values for Show Radius Host Output (Figure 5-12) Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server.
Page 141: Radius Authentication Statistics
RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Term Definition Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions.
Page 142: Radius Accounting Statistics
RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Figure 5-14. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres- sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command).
Page 143 RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Figure 5-16. Example of RADIUS Accounting Information for a Specific Server Figure 5-17. Example Listing of Active RADIUS Accounting Sessions on the Switch 5-37...
Page 144: Changing Radius-Server Access Order
RADIUS Authentication, Authorization and Accounting Changing RADIUS-Server Access Order Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
Page 145 RADIUS Authentication, Authorization and Accounting Changing RADIUS-Server Access Order Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. Re-enter 10.10.10.001. Because the only position open is the third position, this address becomes last in the list.
Page 146: Messages Related To Radius Operation
RADIUS Authentication, Authorization and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch.
Page 147: Configuring Secure Shell (Ssh)
Configuring Secure Shell (SSH) Contents Overview ............6-2 Terminology .
Page 148: Overview
Enabling user authentication Disabled page 6-18 The ProCurve switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSH operation.
Page 149 Configuring Secure Shell (SSH) Overview Note SSH in the ProCurve switch is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
Page 150: Terminology
Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: A ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client.
Page 151: Prerequisite For Using Ssh
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.
Page 152: Steps For Configuring And Using Ssh For Switch And Client Authentication
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 6-1.
Page 153 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once.
Page 154: General Operating Rules And Notes
(clients) you previously set up for SSH access to the switch. In some situations this can temporarily allow security breaches. On ProCurve switches that support stacking, when stacking is ■ enabled, SSH provides security only between an SSH client and the stack manager.
Page 155: Configuring The Switch For Ssh Operation
1. Assign Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 156: Generate The Switch's Public And Private Key Pair
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-4. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Page 157 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...
Page 158 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 Views of Same Host Public Key Figure 6-5. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays data in two different formats because your client may store it in either of these formats after learning the key.
Page 159: Provide The Switch's Public Key To Clients
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 3. Provide the Switch’s Public Key to Clients When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client’s "known host"...
Page 160 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
Page 161: Enable Ssh On The Switch And Anticipate Ssh Client Contact Behavior
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
Page 162 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Page 163 TCP port for SSH connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the ProCurve switches are 49, 80, 1506, and 1513.
Page 164: Configure The Switch For Ssh Authentication
Client Public-Key Authentication” on page 6-22 Note ProCurve recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration.
Page 165 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second- ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.
Page 166 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (Default: none).
Page 167 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager user- Configures the name and password. switch to allow SSH access only a client whose public key matches one of the keys in the public key file Configures the primary and secondary password methods for Copies a public key file Manager (enable) access.
Page 168: Use An Ssh Client To Access The Switch
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...
Page 169 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH: The client sends its public key to the switch with a request for authenti- cation.
Page 170 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for RSA challenge-response authenti- cation, and require an understanding of how to use your SSH client applica- tion.
Page 171 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Use your SSH client application to create a public/private key pair. Refer to the documentation provided with your SSH client application for details. The switch supports the following client-public-key properties: Property Supported Comments...
Page 172 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: copy tftp pub-key-file <ip-address> <filename> [<append | manager | operator>] Copies a public key file from a TFTP server into flash memory in the switch. The append option adds the key(s) for operator access. The manager option adds the key(s) for manager access;...
Page 173 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: Key Index Number Figure 6-14. Example of Copying and Displaying a Client Public-Key File Containing Two Client Public Keys Replacing or Clearing the Public Key File.
Page 174: Messages Related To Ssh Operation
Configuring Secure Shell (SSH) Messages Related to SSH Operation Syntax: aaa authentication ssh login public-key none Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the client- public-key file most recently copied into the switch. C a u t i o n To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must...
Page 175 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning The client key does not exist in the switch. Use copy Client public key file corrupt or tftp to download the key from a TFTP server. not found. Use 'copy tftp pub-key- file <ip-addr>...
Page 176 Configuring Secure Shell (SSH) Messages Related to SSH Operation 6-30...
Page 177: Configuring Secure Socket Layer (Ssl)
Configuring Secure Socket Layer (SSL) Contents Overview ............7-2 Terminology .
Page 178: Overview
SSL/TLS operation. Note ProCurve switches use SSL and TLS for all secure web transactions, and all references to SSL mean using one of these algorithms unless otherwise noted SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated transactions.
Page 179: Terminology
(SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 7-1. Switch/User Authentication SSL on the ProCurve switches supports these data encryption methods: ■ 3DES (168-bit, 112 Effective) DES (56-bit) ■ RC4 (40-bit, 128-bit) ■ Note: ProCurve switches use RSA public key algorithms and Diffie-Hellman. All...
Page 180 Configuring Secure Socket Layer (SSL) Terminology Self-Signed Certificate: A certificate not verified by a third-party ■ certificate authority (CA). Self-signed certificates provide a reduced level of security compared to a CA-signed certificate. CA-Signed Certificate: A certificate verified by a third party certif- ■...
Page 181: Prerequisite For Using Ssl
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...
Page 182: General Operating Rules And Notes
The certificate key pair and the SSH key pair are independent of each other, which means a switch can have two keys pairs stored in flash On ProCurve switches that support stacking, when stacking is ■ enabled, SSL provides security only between an SSL client and the stack manager.
Page 183: Assign Local Login (Operator) And Enable (Manager) Password
1. Assign Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s...
Page 184 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the Web Browser Interface”...
Page 185: Generate The Switch's Server Host Certificate
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 2. Generate the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch.
Page 186 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes To Generate or Erase the Switch’s Server Certificate with the Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.
Page 187: Comments On Certificate Fields
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Comments on Certificate Fields. There are a number arguments used in the generation of a server certificate. table 7-1, “Certificate Field Descriptions” describes these arguments. Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date...
Page 188 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Note “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.
Page 189 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the Web Browser Interface”...
Page 190 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes For example, to generate a new host certificate via the web browsers inter- face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: Select the Security tab.
Page 191 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Current SSL Host Certificate Figure 7-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web Browser Interface This section describes how to install a CA-Signed server host certificate from the web browser interface.
Page 192 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL.
Page 193: Enable Ssl On The Switch And Anticipate Ssl Browser Contact Behavior
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 7-7. Example of a Certificate Request and Reply 3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
Page 194 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generate the Switch’s Server Host Certificate” on page 7-9. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard web browser interface with the no web-management command it will be still available for...
Page 195 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
Page 196 Figure 7-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443). However, you Num b er can use web-management ssl tcp-port to specify any TCP port for SSL connec- tions except those reserved for other purposes.
Page 197: Common Errors In Ssl Setup
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
Page 198 Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup 7-22...
Page 199: Configuring Port-Based And Client-Based Access Control (802.1X)
Configuring Port-Based and Client-Based Access Control (802.1X) Contents Overview ............8-3 Why Use Port-Based or Client-Based Access Control? .
Page 200 Configuring Port-Based and Client-Based Access Control (802.1X) Contents Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices ..........8-40 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches .
Page 201: Overview
RADIUS servers while allowing a given user to use the same entering valid user credentials for access from multiple points within the network. General Features 802.1X on the ProCurve switches covered in this manual includes the follow- ing: Switch operation as both an authenticator (for supplicants having a ■...
Page 202: User Authentication Methods
Configuring Port-Based and Client-Based Access Control (802.1X) Overview cated clients per-port. • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.
Page 203 Configuring Port-Based and Client-Based Access Control (802.1X) Overview 802.1X Port-Based Access Control 802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. For reasons outlined below, this option is recommended for applications where only one client at a time can connect to the port.
Page 204 Configuring Port-Based and Client-Based Access Control (802.1X) Overview access from a master database in a single server (although you can use up to three RADIUS servers to provide backups in case access to the primary server fails). It also means a user can enter the same username and password pair for authentication, regardless of which switch is the access point into the LAN.
Page 205: Terminology
Authenticator: In ProCurve applications, a switch that requires a supplicant to provide the proper credentials before being allowed access to the network.
Page 206 Configuring Port-Based and Client-Based Access Control (802.1X) Terminology as defined in the EAPOL: Extensible Authentication Protocol Over LAN, 802.1X standard Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
Page 207 Configuring Port-Based and Client-Based Access Control (802.1X) Terminology designate as the Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does not have to be statically configured as a member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN.
Page 208: General 802.1X Authenticator Operation
Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...
Page 209: Switch-Port Supplicant Operation
Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation • If 802.1X (port-access) on the switch is configured for local authenti- cation, then: The switch compares the client’s credentials with the username and password configured in the switch (Operator or Manager level).
Page 210: General Operating Rules And Notes
Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes The RADIUS server then responds with an MD5 access challenge that switch “B” forwards to port A1 on switch “A”. Port A1 replies with an MD5 hash response based on its username and password or other unique credentials.
Page 211 Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes Using port-based 802.1X authentication, when a port on the switch is ■ configured as an authenticator, one authenticated client opens the port. Other clients that are not running an 802.1X supplicant applica- tion can have access to the switch and network through the opened port.
Page 212: General Setup Procedure For 802.1X Access Control
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 213: Overview: Configuring 802.1X Authentication On The Switch
Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to “RADIUS Authentication, Authori- zation and Accounting”...
Page 214 Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port.
Page 215: Configuring Switch Ports As 802.1X Authenticators
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Switch Ports as 802.1X Authenticators 802.1X Authentication Commands Page [no] aaa port-access authenticator < [ethernet] < port-list > 8-18 [control | quiet-period | tx-period | client-limit | supplicant-timeout | 8-18 server-timeout | logoff-period | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics]...
Page 216 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication Syntax: [ no ] aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1X authenticators and enables port-based authentication.
Page 217 This example enables ports A10-A12 to operate as authenticators, and then configures the ports for client-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 2 Figure 8-3. Example of Configuring Client-Based 802.1X Authentication Example: Configuring Port-Based 802.1X Authentication This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication.
Page 218: Reconfigure Settings For Port-Access
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 2. Reconfigure Settings for Port-Access The commands in this section are initially set by default and can be reconfig- ured as needed. Syntax: aaa port-access authenticator < port-list > [control <...
Page 219 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
Page 220 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...
Page 221: Configure The 802.1X Authentication Method
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti- cator.
Page 222: Enter The Radius Host Ip Address(Es)
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands.
Page 223: Optionally Resetting Authenticator Operation
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optionally Resetting Authenticator Operation After authentication has begun operating, these commands can be used to reset authentication and related statistics on specific ports. Syntax: aaa port-access authenticator < port-list > [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process.
Page 224: 802.1X Open Vlan Mode
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 8-17 802.1X Supplicant Commands page 8-42 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 8-37 [auth-vid <...
Page 225: Vlan Membership Priorities
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X client-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenti- cated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
Page 226: Use Models For 802.1X Open Vlan Modes
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port belongs to a tagged VLAN used for 1 or 2 above, then it operates as an untagged member of that VLAN while the client is connected.
Page 227 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...
Page 228 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN.
Page 229: Operating Rules For Authorized-Client And Unauthorized-Client Vlans
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session.
Page 230 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Temporary VLAN Membership During • Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client a Client Session receives authentication or the client disconnects from the port, whichever is first.
Page 231 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule IP Addressing for a Client Connected A client can either acquire an IP address from a DHCP server or have to a Port Configured for 802.x Open a preconfigured, manual IP address before connecting to the switch.
Page 232: Setting Up And Configuring 802.1X Open Vlan Mode
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e If you use the same VLAN as the Unauthorized-Client VLAN for all authenti- cator ports, unauthenticated clients on different ports can communicate with each other. Setting Up and Configuring 802.1X Open VLAN Mode Preparation.
Page 233 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode A client must either have a valid IP address configured before ■ connecting to the switch, or download one through the Unauthorized- Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.
Page 234 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configure the 802.1X authentication type. Options include: Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use. local: Use the switch’s local username and password for supplicant authentication (the default).
Page 235 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note If you want to implement the optional port security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices”...
Page 236: 802.1X Open Vlan Operating Notes
Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.
Page 237 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode If a port is configured as a tagged member of VLAN “X” that is not ■ used as an Unauthorized-Client, Authorized-Client, or RADIUS- assigned VLAN, then the port returns to tagged membership in VLAN “X”...
Page 238: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices
802.1X; that is with the control mode in the port-access authenticator command set to auto. For example, to configure port A10 for 802.1X authenticator operation and display the result: ProCurve(config)# aaa port-access authenticator e A10 control auto ProCurve(config)# show port-access authenticator e A10...
Page 239 Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices N o t e o n If the port’s 802.1X authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 80 2 .
Page 240: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configure the port access type. Syntax: aaa port-access auth < port-list > client-limit < 1 - 8> Configures client-based 802.1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn.
Page 241 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Example Suppose that you want to connect two switches, where: Switch “A” has port A1 configured for 802.1X supplicant operation ■...
Page 242 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches The RADIUS server then analyzes the response and sends either a “suc- cess” or “failure” packet back through switch “B” to port A1. •...
Page 243 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Syntax: aaa port-access supplicant [ethernet] < port-list > To enable supplicant operation on the designated ports, execute this command without any other parameters. After doing this, you can use the command again with the following parameters to configure supplicant oper- tion.
Page 244 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [max-start < 1 - 10 >] Defines the maximum number of times the supplicant port requests authentication. See step 1 on page 8-44 for a description of how the port reacts to the authen- ticator response.
Page 245: Displaying 802.1X Configuration, Statistics, And Counters
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 8-17 802.1X Supplicant Commands page 8-42 802.1X Open VLAN Mode Commands page 8-26 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 8-53...
Page 246 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X authenticators •...
Page 247 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : No | Re-auth Access Quiet Supplicant Server Port | Period Control Reqs Period...
Page 248: Viewing 802.1X Open Vlan Mode Status
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port- access authenticator and show vlan < vlan-id > commands as illustrated in this section.
Page 249 This state is controlled by the following port-access command syntax: ProCurve(config)# aaa port-access authenticator < port-list > control < authorized | auto | unauthorized > Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials.
Page 250 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 8-3. Open VLAN Mode Status Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port.
Page 251: Show Commands For Port-Access Supplicant
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...
Page 252: How Radius/802.1X Authentication Affects Vlan Operation
Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.
Page 253 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access...
Page 254 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.
Page 255 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.
Page 256: Messages Related To 802.1X Operation
Port < port-list > is not an authenticators. Use this command to enable the ports as authenticator. authenticators: ProCurve(config)# aaa port-access authenticator e 10 Occurs when there is an attempt to change the supplicant Port < port-list > is not a configuration on a port that is not currently enabled as a supplicant.
Page 257: Configuring And Monitoring Port Security
Configuring and Monitoring Port Security Contents Overview ............9-2 Basic Operation .
Page 258: Overview
Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security n/a — page 9-10 page 9-28 Configuring Port Security disabled — page 9-12 page 9-28 Intrusion Alerts and Alert Flags page 9-34 page 9-32 page 9-35 Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port.
Page 259: Blocking Unauthorized Traffic
Configuring and Monitoring Port Security Overview General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once you have configured port security, you can then monitor the network for security violations through one or more of the following: Alert flags that are captured by network management tools...
Page 260: Trunk Group Exclusion
Configuring and Monitoring Port Security Overview Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address Authorized MAC Address Authorized by Switch A by Switch A Switch B Switch B PC 2...
Page 261: Planning Port Security
Configuring and Monitoring Port Security Planning Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 8)? Within the devices-per-port limit, do you want to let the switch automatically accept devices it detects on a port, or do you want it...
Page 262: Port Security Command Options And Operation
Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 9-11 port-security 9-12 < [ethernet] port-list > 9-12 [learn-mode] 9-12 [address-limit] 9-12 [mac-address] 9-12 [action] 9-12 [clear-intrusion-flag]...
Page 263 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > learn-mode < continuous | static | configured | port-access > Continuous (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected.
Page 264 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) learn-mode < continuous | static | configured | port-access > Configured: The static-configured option operates the same as the static-learn option on the preceding page, except that it does not allow the switch to accept non-specified addresses to reach the address limit.
Page 265 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network man- agement station. Operates when: •...
Page 266: Retention Of Static Mac Addresses
Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static MAC Addresses Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: The port learns a MAC address after you configure the port with learn- ■...
Page 267 Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI To Display Port Security Settings. Syntax: show port-security show port-security [e] <port number> show port-security [e] [<port number>-<port number]. . .[,<port number>] Without port parameters, show port-security displays operating control settings for all ports on a switch.
Page 268: Configuring Port Security
(The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port. ProCurve(config)# port-security a1 learn-mode static action send-disable The next example does the same as the preceding example, except that it...
Page 269 Configuring and Monitoring Port Security Port Security Command Options and Operation ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example configures port A5 to: Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the ■ authorized devices. ■ Send an alarm to a management station if an intruder is detected on the port.
Page 270 Figure 9-4. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address. ProCurve(config)# port-security a1 mac-address 0c0090- 456456 After executing the above command, the security configuration for port A1...
Page 271 To add a second authorized device to port A1, execute a port-security command for port A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example: ProCurve(config)# port-security a1 mac-address 0c0090- 456456 address-limit 2 Removing a Device From the “Authorized” List for a Port Configured for Learn-Mode Static.
Page 272 The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port 9-16...
Page 273: Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown ProCurve(config)# show port-security 1 Port Security Port : 1 Learn Mode : Static Address Limit : 1 Action: None Authorized Addresses -------------------- 0c0090-456456 Figure 9-8. Example of Port A1 After Removing One MAC Address MAC Lockdown MAC Lockdown, also known as “static addressing,”...
Page 274 Configuring and Monitoring Port Security MAC Lockdown How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data.
Page 275: Differences Between Mac Lockdown And Port Security
Configuring and Monitoring Port Security MAC Lockdown You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address. MAC Lockdown and 802.1X authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggrega- tions).
Page 276 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Page 277: Deploying Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Page 278 Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 3400cl or 3400cl or 5300xl Switch 5300xl Switch Network There is no need to lock MAC addresses on switches in the internal core network. 3400cl or 3400cl or 5300xl Switch 5300xl Switch Network Edge Lock Server “A”...
Page 279 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Page 280 Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...
Page 281: Mac Lockout
Displaying status. Locked down ports are listed in the output of the show running-config command in the CLI. The show static-mac command also lists the locked down MAC addresses, as shown below. ProCurve(config)# show static-mac VLAN MAC Address Port 1 001083-34f8fa 9...
Page 282 Configuring and Monitoring Port Security MAC Lockout How It Works. Let’s say a customer knows there are unauthorized wireless clients who should not have access to the network. The network administrator “locks out” the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac <mac-address>).
Page 283: Port Security And Mac Lockout
Configuring and Monitoring Port Security MAC Lockout ProCurve(config)# show lockout-mac Locked Out Addresses 007347-a8fd30 Number of locked out MAC addresses = 1 ProCurve(config)# Figure 9-12. Listing Locked Out Ports Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command.
Page 284: Web: Displaying And Configuring Port Security Features
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features Click on the Security tab. Click on [Port Security]. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.
Page 285: How The Intrusion Log Operates
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security viola- tions • In the web browser interface: –...
Page 286: Keeping The Intrusion Log Current By Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Keeping the Intrusion Log Current by Resetting Alert Flags When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Log. The switch can detect and handle subsequent intrusions on that port, but will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port.
Page 287 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The Intrusion Alert column shows “Yes” for any port on which a security violation has been detected. Figure 9-14. Example of Port Status Screen with Intrusion Alert on Port A3 Type ) to display the Intrusion Log.
Page 288 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.) Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
Page 289 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Intrusion Alert on port A1. Figure 9-16. Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion, you would then enter the show port-security intrusion-log command.
Page 290: Using The Event Log To Find Intrusion Alerts
Intrusion Alert entry for port A1 has changed to “No”. (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.) ProCurve(config)# port-security a1 clear-intrusion-flag ProCurve(config)# show interfaces brief Intrusion Alert on port A1 is now cleared.
Page 291: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command with “security” for Search String Log Listing with Security Violation Detected Log Listing with No Security Violation Detected Figure 9-19. Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4.
Page 292: Operating Notes For Port Security
LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port. For example: ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s).
Page 293: Configuring Protected Ports
Configuring Protected Ports The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
Page 294 If you display the running config file (show running-config) you will see the ports that have been selected as protected ports. ProCurve(config)# show running-config Running configuration: ; J9280A Configuration Editor; Created on release #Y.11.XX hostname "ProCurve Switch 2510G-48" snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-48...
Page 295 Configuring and Monitoring Port Security Configuring Protected Ports In the example in Figure 9-23, ports 1 through 8 are protected. Port 2 connects to Room 2 and Port 4 connects to Room 4. Ports 9 and 10 are unprotected and provide access to the internet.
Page 296 Configuring and Monitoring Port Security Configuring Protected Ports 9-40...
Page 297: Using Authorized Ip Managers
Using Authorized IP Managers Contents Overview ........... . . 10-2 Configuration Options .
Page 298: Overview
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 10-5 page 10-6 page 10-9 Managers Configuring Authorized IP None page 10-5 page 10-6 page 10-9 Managers Building IP Masks page 10-9 page 10-9 page 10-9 Operating and Troubleshooting page 10-12 page 10-12 page 10-12...
Page 299: Configuration Options
Using Authorized IP Managers Access Levels Configuration Options You can configure: Up to 10 authorized manager addresses, where each address applies ■ to either a single management station or a group of stations ■ Manager or Operator access privileges (for Telnet, SNMPv1, and SNMPv2c access only) C a u t i o n Configuring Authorized IP Managers does not protect access to the switch...
Page 300: Defining Authorized Management Stations
Using Authorized IP Managers Defining Authorized Management Stations Operator: Allows read-only access from the web browser and ■ console interfaces. (This is the same access that is allowed by the switch’s operator-level password feature.) Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single ■...
Page 301: Menu: Viewing And Configuring Ip Authorized Managers
Using Authorized IP Managers Defining Authorized Management Stations For example, a mask of 255.255.255.0 and any value for the Authorized Manager IP parameter allows a range of 0 through 255 in the 4th octet of the authorized IP address, which enables a block of up to 254 IP addresses for IP management access (excluding 0 for the network and 255 for broadcasts).
Page 302: Cli: Viewing And Configuring Authorized Ip Managers
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”...
Page 303: Configuring Ip Authorized Managers For The Switch
Applies only to access through Telnet, SNMPv1, and SNMPv2c. Refer to the Note on page 11-3. To Authorize Manager Access. This command authorizes manager-level access for any station having an IP address of 10.28.227.0 through 10.28.227.255: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.0 access manager 10-7...
Page 304 ProCurve(config)# ip authorized-managers 10.28.227.101 To Delete an Authorized Manager Entry. This command uses the IP address of the authorized manager you want to delete: ProCurve(config)# no ip authorized-managers 10.28.227.101 10-8...
Page 305: Web: Configuring Ip Authorized Managers
Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: Click on the Security tab. Click on [Authorized Addresses].
Page 306: Configuring Multiple Stations Per Authorized Manager Ip Entry
Using Authorized IP Managers Building IP Masks Table 10-1. Analysis of IP Mask for Single-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in each octet of the mask specifies that only the exact value in that octet of the corresponding IP address is allowed.
Page 307 Using Authorized IP Managers Building IP Masks Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask In this example (figure 10-5, below), the IP mask allows a group of up to 4 management stations to access the switch. This is useful if the only Authorized devices in the IP address group allowed by the mask are management IP Address...
Page 308: Additional Examples For Authorizing Multiple Stations
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
Page 309 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...
Page 310 Using Authorized IP Managers Operating Notes 10-14...
Page 311 Index Numerics authorized-client VLAN, defined … 8-7 auth-vid … 8-22 3DES … 6-3, 7-3 auto … 8-20 802.1X clear-statistics … 8-25 See port-based access control. … 8-1 control command … 8-20 802.1X access control EAPOL … 8-8 authentication methods … 8-4 force authorized …...
Page 312 aaa port-access See Web or MAC Authentication. DES … 6-3, 7-3 access levels, authorized IP managers … 10-3 disclaimer … 1-ii accounting duplicate IP address See RADIUS. effect on authorized IP managers … 10-12 address authorized for port security … 9-3 authentication See TACACS.
Page 313 length … 2-4 operator only, caution … 2-3 MAC Authentication pair … 2-2 authenticator operation … 3-5 setting … 2-4 blocked traffic … 3-4 password pair … 2-2 CHAP password security … 6-18 defined … 3-9 port usage … 3-4 security configuration …...
Page 314 LACP not allowed … 8-58 logical ports … 9-37 local … 8-23 show local username and password … 8-4 protected ports messages … 8-58 show running config … 9-38 open VLAN proxy authorized client … 8-28 web server … 9-36 configuration …...
Page 315 security … 5-9 crypto key … 6-11 security note … 5-2 disabling … 6-11 server access order … 5-27 enable … 6-16, 7-19 server access order, changing … 5-38 enabling … 6-15 servers, multiple … 5-13 erase host key pair … 6-11 show accounting …...
Page 316 generate self-signed … 7-13 configuration, viewing … 4-10 generate self-signed certificate … 7-10, 7-13 encryption key … 4-6, 4-18, 4-19, 4-22 generate server host certificate … 7-10 encryption key, general operation … 4-26 generating Host Certificate … 7-9 encryption key, global … 4-23 host key pair …...
Page 317 value, inconsistent … 9-14 vendor-specific attribute configuring support for HP VSAs … 5-20 defining … 5-21 VLAN 802.1X … 8-54 802.1X, ID changes … 8-57 802.1X, suspend untagged VLAN … 8-51 not advertised for GVRP … 8-57 warranty … 1-ii Web Authentication authenticator operation …...
Page 318 8 – Index...
Page 320 Technical information in this document is subject to change without notice. © Copyright 2008 Hewlett-Packard Development Company, L.P. All rights reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. June 2008 Manual Part Number 5992-3097...

HP ProCurve 2510G Series Manual

Product Documentation

Getting Started

Configuring Username and Password Security

Web and MAC Authentication

TACACS+ Authentication

RADIUS Authentication, Authorization and Accounting

Configuring Secure Shell (SSH)

Configuring Secure Socket Layer (SSL)

Configuring Port-Based and Client-Based Access Control (802.1X)

Configuring and Monitoring Port Security

Using Authorized IP Managers

Quick Links

Related Manuals for HP ProCurve 2510G Series

Summary of Contents for HP ProCurve 2510G Series