Page 3
ProCurve Series 6400cl Switches Series 5300xl Switches Series 3400cl Switches October 2005 E.10.02 or Greater (5300xl) M.08.73 or Greater (3400/6400cl) Access Security Guide...
Page 4
SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the The only warranties for HP products and services are set OpenSSL Project for use in the OpenSSL Toolkit. For more forth in the express warranty statements accompanying information on OpenSSL, visit http://www.openssl.org.
Contents Product Documentation About Your Switch Manual Set ........xv Feature Index.
Page 6
CLI: Setting Passwords and Usernames ......2-7 Web: Setting Passwords and Usernames ......2-8 Front-Panel Security .
Page 7
Configuring the Per-Port Filtering Mode ....3-13 Example of a Basic Connection-Rate Filtering Configuration . . 3-14 Viewing and Managing Connection-Rate Status ....3-16 Viewing the Connection-Rate Configuration .
Page 8
Overview ..........4-16 Configure the Switch for Web-Based Authentication .
Product Documentation About Your Switch Manual Set The switch manual set includes the following documentation: ■ Read Me First—a printed guide shipped with your switch. Provides soft ware update information, product notes, and other information. Installation and Getting Started Guide—a printed guide shipped with your ■...
Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature and which switches support that feature. Feature Management and Advanced Traffic Access Supported Supported Configuration...
Page 19
Product Documentation Feature Management and Advanced Traffic Access Supported Supported Configuration Management Security on 5300xl on 3400cl/ Guide 6400cl Eavesdrop Protection Event Log Factory Default Settings Flow Control (802.3x) File Management File Transfers Friendly Port Names Guaranteed Minimum Bandwidth (GMB) GVRP IGMP Delayed Group Flush...
Page 20
Product Documentation Feature Management and Advanced Traffic Access Supported Supported Configuration Management Security on 5300xl on 3400cl/ Guide 6400cl Meshing Monitoring and Analysis Multicast Filtering Multiple Configuration Files Network Management SNMP only Applications OpenView Device Management OSPF Passwords Password Clear Protection PIM Dense, Sparse Ping Port Configuration...
Getting Started Sources for More Information Figure 1-1. Example of a Figure Showing a Simulated Screen In some cases, brief command-output sequences appear without figure iden tification. For example: ProCurve(config)# clear public-key ProCurve(config)# show ip client-public-key show_client_public_key: cannot stat keyfile Port Identity Examples This guide describes software applicable to both chassis-based and stackable ProCurve switches.
Page 27
Getting Started Sources for More Information N o t e For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, visit the ProCurve Network ing web site at http://www.procurve.com, click on Technical support, and then click on Product Manuals (all).
Getting Started Sources for More Information • Daylight time rules ■ Advanced Traffic Management Guide—Use the Advanced Traffic Man- agement Guide for information on: • VLANs: Static port-based and protocol VLANs, and dynamic GVRP VLANs • Multicast traffic control (IGMP) and Protocol-Independent Multicast routing (PIM-DM) •...
Getting Started Sources for More Information Figure 1-3. Listing of ProCurve Manuals on the ProCurve Networking Web Site Online Help If you need information on specific parameters in the menu interface, refer to the online help provided in the interface. Online Help for Menu Figure 1-4.
IP Addressing. If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing.
Getting Started To Set Up and Install the Switch in Your Network To Set Up and Install the Switch in Your Network Use the ProCurve Installation and Getting Started Guide (shipped with your switch) for the following: ■ Notes, cautions, and warnings related to installing and using the switch and its related modules ■...
HP recommends that you use local passwords together with the switch’s other security features to provide a more comprehensive security fabric than if you use only local passwords.
Getting Started Applications for Access Control Lists (ACLs) 4. Port security 5. Authorized IP Managers 6. Application features at higher levels in the OSI model, such as SSH. (The above list does not address the mutually exclusive relationship that exists among some security features.) Applications for Access Control Lists (ACLs) Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve...
Page 34
Getting Started Applications for Access Control Lists (ACLs) — This page unused intentionally — 1-12...
Page 35
Configuring Username and Password Security Contents Overview ............2-2 Configuring Local Password Security .
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-8 Set a Password none page 2-5 page 2-7 page 2-8 Delete Password Protection page 2-6 page 2-7 page 2-8 show front-panel-security — page 1-13 —...
Page 37
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
Page 38
Configuring Username and Password Security Overview N o t e The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
Page 40
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Syntax: [ no ] password <manager | operator > [ user-name ASCII-STR ] [ no ] password <...
Configuring Username and Password Security Front-Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names. To Configure (or Remove) Usernames and Passwords in the web browser interface. 1. Click on the tab.
Configuring Username and Password Security Front-Panel Security When Security Is Important Some customers require a high level of security for information. Also, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure.
Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button. Reset Button Clear Button Reset Clear Figure 2-4. Front-Panel Button Locations on a ProCurve 5300xl Switch Clear Button Reset Button (to restore configuration Reset...
Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for one second resets the password(s) con figured on the switch. Reset Clear Figure 2-6. Press the Clear Button for One Second To Reset the Password(s) Reset Button Pressing the Reset button alone for one second causes the switch to reboot.
Page 46
Configuring Username and Password Security Front-Panel Security Reset Clear While holding the Reset button, press and hold the Clear button. Reset Clear 3. Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Reset Clear Self...
Configuring Username and Password Security Front-Panel Security Reset Clear Self Test This process restores the switch configuration to the factory default settings. Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: • Disable or re-enable the password-clearing function of the Clear button.
Page 48
Configuring Username and Password Security Front-Panel Security Reset-on-clear: Shows the status of the reset-on-clear option (Enabled or Disabled). When reset-on-clear is disabled and Clear Password is enabled, then pressing the Clear button erases the local usernames and passwords from the switch. When reset-on-clear is enabled, pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch.
Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch.
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear , with reset-on- clear disabled by the “ ” statement at the beginn ng of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-10. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina...
(the default) on the switch prior to an attempt ■ to recover from a lost username/password situation ■ Contacting your HP Customer Care Center to acquire a one-time-use password Disabling or Re-Enabling the Password Recovery Process Disabling the password recovery process means that the only method for...
Page 53
Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.
If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by HP. If you have disabled password-recovery, which locks out the ability to recover a...
Virus Throttling (5300xl Switches Only) Introduction Introduction Feature Default Menu Global Configuration and Sensitivity Disabled — 3-12 — Per-Port Configuration None — 3-13 — Listing and Unblocking Blocked Hosts — 3-18 — Viewing the Current Configuration — 3-16 — Configuring Connection-Rate ACLs None —...
Page 58
Virus Throttling (5300xl Switches Only) Introduction signature updates will still need to be deployed to hosts, the network remains functional and the overall distribution of the malicious code is limited. Connection-Rate filtering is a countermeasure tool you can use in your inci- dent-management program to help detect an manage worm-type IT security threats received in inbound routed traffic.
Virus Throttling (5300xl Switches Only) General Operation of Connection-Rate Filtering General Operation of Connection-Rate Filtering Connection-Rate filtering enables notification of worm-like behavior detected in inbound routed traffic and, depending on how you configure the feature, also throttles or blocks such traffic. This feature also provides a method for allowing legitimate, high connection-rate traffic from a given host while still protecting your network from possibly malicious traffic from other hosts.
Virus Throttling (5300xl Switches Only) General Operation of Connection-Rate Filtering Sensitivity to Connection Rate Detection The switch includes a global sensitivity setting that enables adjusting the ability of connection-rate filtering to detect relatively high instances of con- nection-rate attempts from a given source. Application Options For the most part, normal network traffic is distinct from the traffic exhibited by malicious agents.
Virus Throttling (5300xl Switches Only) Terminology Terminology Bridged Traffic: See “Switched Traffic”, below. DA: The acronym for Destination Address. In an IP packet, this is the destination IP address carried in the header, and identifies the destination intended by the packet’s originator. See also “SA”. Routed Traffic: Traffic moving from an SA in one VLAN to a DA in a different VLAN.
Virus Throttling (5300xl Switches Only) Operating Rules Operating Rules ■ When configuring or changing the configuration of connection-rate filters in the switch, execute the clear arp command to reset the routing table. Connection-Rate filtering is triggered by inbound IP routed traffic ■...
Virus Throttling (5300xl Switches Only) General Configuration Guidelines General Configuration Guidelines As stated earlier, connection-rate filtering is triggered only by routed, inbound traffic generating a relatively high number of new IP connection requests from the same host. Thus, for the switch to apply connection-rate filters, IP routing and multiple VLANs with member ports must first be configured.
Virus Throttling (5300xl Switches Only) General Configuration Guidelines Note On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan < vid > connection-rate filter unblock command. 10. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.
SAs to be routed without being subjected to the filtering.) Note Immediately after you enable or disable connection-rate filtering, the CLI prompts you to reboot the switch. HP strongly recommends that you perform the reboot to help ensure optimal switch performance. 3-11...
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration Enabling Connection-Rate Filtering and Configuring Sensitivity Syntax: connection-rate-filter sensitivity < low | medium | high | aggressive > no connection-rate-filter This command: ■ Enables connection-rate filtering. Sets the global sensitivity level at which the switch ■...
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration Configuring the Per-Port Filtering Mode Syntax: filter connection-rate < port-list > < notify-only | throttle | block > no filter connection-rate < port-list > Configures the per-port policy for responding to detection of a relatively high number of inbound, routed IP connection attempts from a given source.
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration Example of a Basic Connection-Rate Filtering Configuration Switch 5300xl Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1 Server VLAN 15 15.45.300.1 Switch Company Intranet Server Figure 3-2. Sample Network Basic Configuration.
Page 69
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration Enables connection-rate filtering and sets the sensitivity to “ low”. Configures the desired responses to nbound, high connectivity-rate traffic on the various ports. Indi cates that connectivity-rate filtering is enabled at the “low” sensitivity setting.
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration Viewing and Managing Connection-Rate Status The commands in this section describe how to: View the current connection-rate configuration ■ ■ List the currently blocked hosts Unblock currently blocked hosts (on a per-VLAN basis). ■...
Page 71
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration To view the complete connection-rate configuration, including any ACLs (page 3-20), use show config (for the startup-config file) or show running (for the running-config file). For example: Entry showing that connection-rate-filter ng is enabled and set to “medium”...
Virus Throttling (5300xl Switches Only) Basic Connection-Rate Filtering Configuration Listing and Unblocking the Currently-Blocked Hosts Syntax: show connection-rate-filter < all-hosts | blocked-hosts | throttled-hosts > all-hosts: Lists, by VLAN membership, all hosts currently detected in a throttling or blocking state, along with a state indicator.
Page 73
Basic Connection-Rate Filtering Configuration Note HP recommends that, before you unblock a host that has been blocked by connection-rate filtering, you inspect the host with current antivirus tools and remove any malicious agents that pose a threat to your network.
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs Note Connection-Rate ACLs are a special case of the switch’s ACL feature. If you need information on other applications of ACLs or more detailed information on how ACLs operate, refer to the chapter titled “Access Control Lists (ACLs) for the Series 5300xl Switches”...
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs Configuring a Connection-Rate ACL Using Source IP Address Criteria (To configure a connection-rate ACL using UDP/TCP criteria, go to page 3-23.) Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: ProCurve(config-crf-nacl)# If the ACL already exists, this command simply puts the...
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs Configuring a Connection-Rate ACL Using UDP/TCP Criteria (To configure a connection-rate ACL using source IP address criteria, turn to page 3-22.) Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: ProCurve(config-crf-nacl)# If the ACL already exists, this command simply puts...
Page 78
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs ip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either: < src-ip-addr/cidr-mask-bits> <src-ip-addr < mask >> Use this criterion for traffic received from either a subnet or a group of IP addresses.
Page 79
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs < tcp-data > or < udp-data > TCP or UDP Port Number or (Well- Known) Port Name: Use the TCP or UDP port number required for the desired match. The switch also accepts certain well-known TCP or UDP port names as alternates to their corre- sponding port numbers:...
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs Applying Connection-Rate ACLs To apply a connection-rate ACL, use the access group command described below. Note that this command differs from the access group command for non-connection-rate ACLs. Syntax: [no] vlan < vid > ip access-group < crf-list-name > connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering.
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs For more on ACE masks, refer to “How an ACE Uses a Mask To Screen Packets for Matches” in the chapter titled “Access Control Lists (ACLs for the Series 5300xl Switches” in the Advanced Traffic Management Guide for your switch. Example of Using an ACL in a Connection-Rate Configuration This example adds connection-rate ACLs to the basic example on page 3-14.
Page 82
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs The administrator needs to maintain blocking protection from the “Company Intranet” while allowing access to the server at 15.45.50.17. Because the server is carefully maintained as a trusted device, the administrator’s solution is to configure a connection-rate ACL that causes the switch to ignore (circumvent) connection-rate filtering for inbound traffic from the server, while maintaining the filtering for all other inbound routed traffic on port D2.
Page 83
Virus Throttling (5300xl Switches Only) Configuring and Applying Connection-Rate ACLs The new switch configuration incl udes the ACL configured in figure 3-11. Shows the assignment of the above connection-rate ACL to VLAN 15. Figure 3-12. Example of Switch Configuration Display with a Connection-Rate ACL 3-29...
Virus Throttling (5300xl Switches Only) Connection-Rate ACL Operating Notes Connection-Rate ACL Operating Notes ■ A connection-rate ACL allows you to configure two types of ACEs (Access Control Entries): ignore < source-criteria >: This ACE type directs the switch to permit •...
Virus Throttling (5300xl Switches Only) Connection-Rate Log and Trap Messages Connection-Rate Log and Trap Messages These messages appear in the switch’s Event Log. If SNMP trap receivers are configured on the switch, it also sends the messages to the designated receiver(s).
Page 86
Virus Throttling (5300xl Switches Only) Connection-Rate Log and Trap Messages — This page is intentionally unused. — 3-32...
Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 4-16 — Configure MAC Authentication — 4-21 — Display Web Authentication Status and Configuration — 4-25 — Display MAC Authentication Status and Configuration — 4-26 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.
Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is well- suited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.
Web and MAC Authentication Overview General Features Web and MAC Authentication on the Series 5300xl switches include the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol.
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server.
Page 92
Web and MAC Authentication How Web and MAC Authentication Operate Figure 4-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.
Page 94
Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
LAN link. Redirect URL: A System Administrator-specified web page presented to an authorized client following Web Authentication. HP recommends speci fying this URL when configuring Web Authentication on a switch. Refer to aaa port-access web-based [e] < port-list > [redirect-url < url >] on page 4-20.
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X and either Web- or MAC- authentication operation on a port (with up to 32 clients allowed). However, concurrent operation of Web- or MAC-authentication with other types of authentication on the same port is not supported.
Page 97
Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter mines a port’s VLAN membership: 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, HP recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client ses sions.
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configure the client device’s (hexadecimal) MAC address as both ■ username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access.
Page 101
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config- ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses.
1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using Web Authenti...
Web and MAC Authentication Configuring Web Authentication on the Switch Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 4-17 aaa port-access web-based dhcp-lease 4-17 [no] aaa port-access web-based [e] < port-list > 4-18 [auth-vid] 4-18 [client-limit] 4-18...
Page 104
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based [e] <...
Page 105
Web and MAC Authentication Configuring Web Authentication on the Switch aaa port-access web-based [e] < port-list > Syntax: [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
Page 106
Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using Web Authentication. Note: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.
Web and MAC Authentication Configuring MAC Authentication on the Switch Specifies the VLAN to use for a client that fails authen- tication. If unauth-vid is 0, no VLAN changes occur. Use the no form of the command to set the unauth-vid to 0. (Default: 0) Configuring MAC Authentication on the Switch...
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 4-22 [no] aaa port-access mac-based [e] < port-list > 4-22 [addr-limit] 4-23 [addr-moves] 4-23 [auth-vid] 4-23 [logoff-period] 4-23 [max-requests]...
Page 109
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Note: On 5300xl switches running software release E.09.xx or greater, where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
Page 110
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication. (Default: 60 seconds) Syntax: aaa port-access mac-based [e] <...
Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web- Based Authentication Command Page port-list show port-access [ ] web-based 4-25 [clients] 4-25 [config] 4-25 [config [auth-server]] 4-26 [config [web-server]] 4-26 port-list show port-access web-based config detail 4-26 Syntax:...
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Page 113
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client.
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access.
Page 118
TACACS+ Authentication Terminology Used in TACACS Applications: Authentication: The process for granting user access to a device ■ through entry of a user name and password and comparison of this username/password pair with previously stored username/password data. Authentication also grants levels of access, depending on the privileges assigned to a user name and password pair by a system administrator.
TACACS+ configurations used in your network. TACACS-aware ProCurve switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
Page 120
TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...
Page 121
15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 5-5 and configure your TACACS+ server(s) before configuring authentication on the switch.
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. show tacacs Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a...
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
Page 126
TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-1. AAA Authentication Parameters Name Default Range Function console Specifies whether the command is configuring authentication for the console port - or - or Telnet access method for the switch. telnet enable Specifies the privilege level for the access method being configured.
Page 127
TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
Page 128
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
Note As described under “General Authentication Setup Procedure” on page 5-5, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 130
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server- specific encryption key, if any) tacacs-server key <key-string>...
Page 131
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
Page 132
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
Page 133
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 5-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note...
Page 135
TACACS+ Authentication How Authentication Operates Using figure 5-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. •...
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: ProCurve(config)# tacacs-server key north40campus...
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa tion on such messages, refer to the documentation you received with the application.
Page 140
TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unautho rized persons.) 5-26...
RADIUS Authentication and Accounting Overview Overview Feature Default Menu Configuring RADIUS Authentication None Configuring RADIUS Accounting None 6-48 Viewing RADIUS Statistics 6-56 RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.
RADIUS Authentication and Accounting Terminology Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis. RADIUS-Administered CoS and Rate-Limiting The 3400cl and 6400cl switches, plus 5300xl switches running software release E.09.xx or greater take advantage of vendor-specific attributes (VSAs) applied in a RADIUS server to support these optional, RADIUS-assigned attributes:...
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers. RADIUS Host: See RADIUS server. RADIUS Server: A server running the RADIUS application you are using on your network.
Page 146
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS When this type of failure occurs, the switch prompts the client again to enter a username and password. In this case, use the local user- name (if any) and password configured on the switch itself. Zero-length usernames or passwords are not allowed for RADIUS ■...
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass a RADIUS server that fails to respond to requests for service.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following •...
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication (Default: null.) • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request.
Page 151
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication You can also use RADIUS for Port-Based (802.1X) Access authentication. Refer to chapter 10, “Configuring Port-Based and Client-Based Access Control (802.1X)” . You can configure RADIUS as the primary password authentication method for the above access methods.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients connected to your network can gain access to either the Operator or Manager level without encountering the RADIUS authentication specified for Enable Primary.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication — Continued from the preceding page. — The no form of the command returns the switch to the default RADIUS authentication operation. The default behavior for most interfaces is that a client authorized by the RADIUS server for Enable (Manager) access will be prompted twice, once for Login (Operator) access and once for Enable access.
Page 154
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [acct-port < port-number >] Optional. Changes the UDP destination port for account- ing requests to the specified RADIUS server. If you do not use this option with the radius-server host command, the switch automatically assigns the default accounting port number.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 6-3. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 6-3, you would do the following: Changes the key for the existing server to “source0127”...
Page 156
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch.
Page 157
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication If a RADIUS server fails to respond to an authentica - tion request, specifies how many retries to attempt before closing the session. Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers configured to support authen...
Page 158
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the 5300xl switches. After two attempts failing due to username or password entry errors, the switch will terminate the session.
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...
RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ 5300xl Switches: Configure the switch to support RADIUS authenti cation for web browser interface access (software release E.09.xx and greater).
Assignments on ProCurve vendor-specific ID:11 Inbound Traffic VSA: 40 (string = HP) This feature assigns a Setting: HP-COS = xxxxxxxx where: RADIUS-specified x = desired 802.1p priority 802.1p priority to all Note: This is typically an eight-octet field. Enter the same x-value...
Rate-Limiting on Vendor-Specific Attribute configured in the RADIUS server. inbound traffic ProCurve vendor-specific ID:11 This feature assigns a VSA: 46 (integer = HP) bandwidth limit to all Setting: HP-RATE-LIMIT = < bandwidth-in-Kbps > inbound packets Note: The CLI command for configuring a rate-limit on a port uses received on a port a percent-age value.
Page 163
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services These commands display the CoS and Rate-Limiting settings specified by the RADIUS server used to grant authentication for a given client on a given port. When the authenticated client session closes, the switch resets these fields to the values to which they are configured in the switch’s running-config file.
Page 164
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services 50 i n the Limit field ind cates that the most recent rate-limit configured in the switch for this port is 50% of the port’s available bandwidth.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services ple, if client “X” is authenticated with a CoS of 5 and a rate-limit of 75%, and client “Y” later becomes authenticated with a CoS of 3 and a rate-limit of 50% while the session for client “X”...
Page 166
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services clients from using TCP or UDP applications (such as Telnet, SSH, Web browser, and SNMP) if you do not want their access privileges to include these capabilities.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services RADIUS-Based (Dynamic) ACLs VLAN-Based (Static) ACLs Supports only extended ACLs. (Refer to Terminology.) Supports standard, extended, and connection-rate ACLs, and applies these ACLs to traffic on all ports belonging to the VLAN.
Page 168
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Deny: An ACE configured with this action causes the switch to drop a packet for which there is a match within an applicable ACL. Deny Any Any: An abbreviated form of deny in ip from any to any, which denies any inbound IP traffic from any source to any destination.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services General Operation An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). These ACEs are designed to control the network access privileges of an authenti...
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services The Packet-filtering Process Sequential Comparison and Action. When an ACL filters a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the packet.
Page 171
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Note If a RADIUS-based ACL permits an authenticated client’s inbound IP packet, but the client port belongs to a VLAN for which there is an inbound, VLAN- based ACL configured on the switch, then the packet will also be filtered by the VLAN-based ACL.
Page 172
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Note The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE is a “permit IP any”, then the ACL permits all IP traffic, and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services It is important to remember that RADIUS-based ACLs include an implicit “deny IP any any”. That is, packets received inbound from an authenticated client that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Begin by defining the policies you want an ACL to enforce for a given client or group of clients. This includes the type of IP traffic permitted or not permitted from the client(s) and the areas of the network the client(s) are authorized or not authorized to use.
Page 175
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services The sequence of ACEs is significant. When the switch uses an ACL to ■ determine whether to permit or deny a packet on a particular VLAN, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Operating Rules for RADIUS-Based ACLs Relating a Client to a RADIUS-Based ACL: A RADIUS-based ACL ■ for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client.
Page 177
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Item Limit Notes Where two authenticated clients are using RADIUS-based ACLs on the same port, the total number of ACEs in both active sessions cannot exceed the maximum. Maximum Number of —...
MAC address). For information on how to configure this functionality on other RADIUS server types, refer to the documentation provided with the server. 1. Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file: VENDOR...
Page 179
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key is “1234”, you would enter the follow...
Page 180
Client’s Password (802.1X or Web Authentication) Client’s Username (802.1X or Web Authentication) mobile011 Auth-Type:= Local, User-Password == run101112 HP-IP-FILTER-RAW = “permit in tcp from any to 10.10.10.101”, HP-IP-FILTER-RAW += “deny in tcp from any to any”, HP-IP-FILTER-RAW += “permit in ip from any to any”...
Page 181
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services • Any IP address Where the traffic type is either TCP or UDP, the ACE can optionally ■ include one or more TCP or UDP port numbers. The following syntax and operating information refers to ACLs configured in a RADIUS server.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services [ tcp/udp-ports]: Optional TCP or UDP port specifier. Used when the ACL is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify port numbers as individual values and/or ranges.
Page 183
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Note Refer to the documentation provided with your RADIUS server for infor mation on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch.
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Displaying the Current RADIUS-Based ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per- port by RADIUS server responses to client authentication. Syntax: show access-list radius <...
Page 185
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Syntax: show port-access authenticator < port-list > For ports, in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in <...
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Event Log Messages Message Meaning Notifies of a problem with the permit deny keyword in ACE parsing error, permit/deny keyword < ace-# > client < mac-address > the indicated ACE included in the access list for the port <...
RADIUS Authentication and Accounting Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services Message Meaning Notifies of a memory allocation failure for a RADIUS-based Memory allocation failure for IDM ACL. ACL. User Action? Notifies that the maximum number of ACEs (30) allowed on ACE limit per port exceeded.
RADIUS Authentication and Accounting Configuring RADIUS Accounting (For 802.1x information for the switch, refer to chapter 10, “Configuring Port-Based and Client-Based Access Control (802.1X)” .) Exec accounting: Provides records holding the information listed ■ below about login sessions (console, Telnet, and SSH) on the switch: •...
RADIUS Authentication and Accounting Configuring RADIUS Accounting If access to a RADIUS server fails during a session, but after the client ■ has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch.
RADIUS Authentication and Accounting Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 6-13.
RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. IP address: 10.33.18.151 ■ ■ A non-default UDP port number of 1750 for accounting. For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and that RADIUS is already configured as an authentication method for one or more...
Page 193
RADIUS Authentication and Accounting Configuring RADIUS Accounting Note that there is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs. Network: Use Network if you want to collect accounting information ■...
RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: Configures exec and system accounting and controls. Summarizes the switch’s accounting configuration. Exec and System accounting are active.
Page 195
RADIUS Authentication and Accounting Configuring RADIUS Accounting Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). ■ • Update Period • Suppress Unknown User Figure 6-20. Example of Optional Accounting Update Period and Accounting Suppression on Unknown User 6-55...
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 6-22. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
RADIUS Authentication and Accounting Viewing RADIUS Statistics show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server. (Requires prior use of the radius-server host command to configure a RADIUS server IP address in the switch. See “Configuring RADIUS Accounting”...
Page 199
RADIUS Authentication and Accounting Viewing RADIUS Statistics Lists configured accounting interval, “Empty User” suppres- sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch.
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 6-27. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
RADIUS Authentication and Accounting Messages Related to RADIUS Operation 1. Delete 10.10.10.003 from the list. This opens the third (lowest) position in the list. 2. Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list.
Page 202
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Message Meaning The switch is configured for and attempting RADIUS No server(s) responding. authentication, however it is not receiving a response from a RADIUS server. Ensure that the switch is configured to access at least one RADIUS server.
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 7-10 Using the switch’s public key page 7-12 Enabling SSH Disabled page 7-15 Enabling client public-key authentication Disabled pages 7-19, 7-22 Enabling user authentication Disabled page 7-18 The switches covered by this guide use Secure Shell version 1 or 2 (SSHv1 or...
Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
Page 206
Configuring Secure Shell (SSH) Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted ■ client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figures 7-3 and 7-4 for examples of PEM-encoded ASCII and non- encoded ASCII keys.
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 7-2), then the client program must have the capability to generate or import keys.
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 7-1.
Page 209
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 7-9). 2. Generate a public/private key pair on the switch (page 7-10). You need to do this only once.
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. The switch’s own public/private key pair and the (optional) client ■...
1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 7-5. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Page 213
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”;...
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 7-6. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client may store it in either of these formats after learning the key.
Page 215
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...
Page 216
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecima "Fingerprints" of the Same Switch Figure 7-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 7-10 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
Page 218
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Page 219
896 bits. N o t e o n P o r t HP recommends using the default TCP port number (22). However, you can Num b er use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you.
Page 221
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second- ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.
Page 222
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n To allow SSH access only to clients having the correct public key, you must configure the secondary (password) method for login public-key to none. Otherwise a client without the correct public key can still gain entry by submitting a correct local login password.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 7-13 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Shows the contents of the public key file downloaded with the copy tftp command in figure 7-12.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 7-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Page 225
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random sequence of bytes.
Page 226
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 7-14, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Page 227
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication N o t e o n P u b l i c The actual content of a public key entry in a public key file is determined by K e ys the SSH client application generating the key.
Page 228
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning Indicates an error in communicating with the tftp server or 00000K Peer unreachable. not finding the file to download. Causes include such factors • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command...
Page 230
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take up to s generat ng the key.
Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu Generating a Self Signed Certificate on the switch page 8-9 page 8-13 Generating a Certificate Request on the switch page 8-15 Enabling SSL Disabled page 8-17 page 8-19 The switches covered by this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manage...
Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. SSL Client ProCurve Browser Switch 2. User-to-Switch (log n password and (SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 8-1. Switch/User Authentication SSL on the switches covered by this guide supports these data encryption methods: ■...
Page 234
Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to ■ sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib uted as an integral part of most popular web clients. (see browser docu mentation for which root certificates are pre-installed).
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring ssl include:...
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch.
1. Assigning a Local Login (Operator) and Enable (Manager)Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 238
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface, refer to the chapter titled “Using the Web Browser Interface”...
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in the generation of a server certificate. table 8-1, “Certificate Field Descriptions” describes these arguments. Table 8-1. Certificate Field Descriptions Field Name Description Valid Start Date...
Page 242
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation N o t e s “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web Browser Interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface refer to the chapter titled “Using the Web Browser Interface”...
Page 244
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certif cate Arguments Figure 8-5.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web Browser Interface To install a CA-Signed server host certificate from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the Web Browser Interface”...
Page 246
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 8-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
Page 248
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation N o t e Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate”...
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
Page 250
Figure 8-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t HP recommends using the default IP port number (443). However, you can N u m b e r use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes.
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
Page 252
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused. — 8-22...
Traffic/Security Filters Overview Overview Applicable Switch Models. As of September, 2004, Traffic/Security filters are available on these current ProCurve switch models: Switch Models Source-Port Protocol Multicast Filters Filters Filters Series 6400cl Series 5300xl Series 3400cl Series 2800 Series 2500 Switch 4000m and 8000m This chapter describes Traffic/Security filters on the switches covered by this guide.
Traffic/Security Filters Filter Types and Operation Filter Limits The switch accepts up to 101 static filters. These limitations apply: ■ Source-port filters: • 5300xl switches: Up to 78 • 3400cl/6400cl switches: One per port or port trunk ■ Multicast filters (5300xl only): up to 16 Protocol filters (5300xl only): up to 7 ■...
Traffic/Security Filters Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports. Server Node “A” Port Port Switch 5400xl, 6400cl, Node Switch 3400cl “B”...
Traffic/Security Filters Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) ■ on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.
Traffic/Security Filters Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports. Figure 9-3.
Traffic/Security Filters Filter Types and Operation A named source-port filter can only be deleted when it is not applied ■ to any ports. Defining and Configuring Named Source-Port Filters The named source-port filter command operates from the global configuration level. Syntax: [no] filter source-port named-filter <filter-name>...
Traffic/Security Filters Filter Types and Operation ProCurve(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks. To configure a named source-port filter to prevent inbound traffic from being forwarded to specific destination switch ports or port trunks, the drop option is used.
Page 261
Traffic/Security Filters Filter Types and Operation Network Design 1. Accounting Workstations may only send traffic to the Accounting Server. 2. No Internet traffic may be sent to the Accounting Server or Workstations. 3 All other switch ports may on y send traffic to Port 1. Router to the Port 1 Internet...
Page 262
Traffic/Security Filters Filter Types and Operation ProCurve(config)# filter source-port 2-6,8,9,12-26 named-filter web-only ProCurve(config)# filter source-port 7,10,11 named-filter accounting ProCurve(config)# filter source-port 1 named-filter no-incoming-web ProCurve(config)# The show filter command shows what ports have filters applied. ProCurve config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk...
Page 263
Traffic/Security Filters Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5 Dest Port Type | Action Dest Port Type | Action --------- --------- + --------------------------...
Page 264
Traffic/Security Filters Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ----------------------- - 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX...
Page 265
Traffic/Security Filters Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port named-filter no-incoming-web drop 8,12,13 ProCurve(config)# ProCurve(config)# show filter source-port Traffic/Security Filters...
Traffic/Security Filters Filter Types and Operation Static Multicast Filters (5300xl Only) This filter type enables the switch to forward or drop multicast traffic to a specific set of destination ports. This helps to preserve bandwidth by reducing multicast traffic on ports where it is unnecessary, and to isolate multicast traffic to enhance security.
Traffic/Security Filters Filter Types and Operation in this range will continue to be in effect unless IGMP learns of a multicast group destination in this range. In this case, IGMP takes over the filtering function for the multicast destination address(es) for as long as the IGMP group is active.
Traffic/Security Filters Configuring Traffic/Security Filters Configuring Traffic/Security Filters Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify. 1. Select the static filter type(s). 2. For inbound traffic matching the filter type, determine the filter action you want for each outbound (destination) port on the switch (forward or drop).
Traffic/Security Filters Configuring Traffic/Security Filters Configures the filter to drop traffic for the ports and/or trunks in the designated < destination-port-list >. Can be followed by forward < destination-port-list > if you have other destination ports set to drop that you want to change to forward.
Traffic/Security Filters Configuring Traffic/Security Filters Configuring a Filter on a Port Trunk This operation uses the same command as is used for configuring a filter on an individual port. However, the configuration process requires two steps: 1. Configure the port trunk. 2. Configure a filter on the port trunk by using the trunk name (trk1, trk2, ...trk6) instead of a port name.
Traffic/Security Filters Configuring Traffic/Security Filters Figure 9-6. Example of Switch Response to Adding a Filtered Source Port to a Trunk Editing a Source-Port Filter The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port or trunk. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter.
Page 272
Traffic/Security Filters Configuring Traffic/Security Filters [< forward | drop > < port-list >] Specifies whether the designated destination port(s) should forward or drop the filtered traffic. [protocol < ip | ipx | arp | dec-lat | appletalk | sna | netbeui >] (5300xl only.) Specifies a protocol type.
Traffic/Security Filters Configuring Traffic/Security Filters Figure 9-8. Configuring Various Traffic/Security Filters Filter Indexing The switch automatically assigns each new filter to the lowest-available index (IDX) number. The index numbers are included in the show filter command described in the next section and are used with the show filter < index > command to display detailed information about a specific filter.
Page 274
Traffic/Security Filters Configuring Traffic/Security Filters Lists the filter type and other data for the filter corre sponding to the index number in the show filter output. Also lists, for each outbound destination port in the switch, the port number, port type, and filter action (forward or drop). The switch assigns the lowest available index number to a new filter.
Configuring Port-Based and Client-Based Access Control (802.1X) Contents Overview ........... . . 10-3 Why Use Port-Based or Client-Based Access Control? .
Page 276
Configuring Port-Based and Client-Based Access Control (802.1X) Contents Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices ........10-36 Port-Security on 5300xl Switches Running Software Release E.09.xx or Greater .
Configuring Port-Based and Client-Based Access Control (802.1X) Overview Authentication features covered in chapter 4.) • On the 3400cl and 6400cl switches (running software version M.08.6x or greater), port-based access control supporting one authenticated client per port. • Supplicant implementation using CHAP authentication and indepen dent username and password configuration on each port.
Configuring Port-Based and Client-Based Access Control (802.1X) Terminology port), where each client gains access to the LAN by entering a username and password. This extension improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated.
Page 280
Configuring Port-Based and Client-Based Access Control (802.1X) Terminology local authentication is used, in which case the switch performs this function using its own username and password for authenticating a supplicant). Authenticator: In ProCurve applications, a switch that requires a supplicant to provide the proper credentials (username and password) before being allowed access to the network.
Page 281
Configuring Port-Based and Client-Based Access Control (802.1X) Terminology Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network. This is usually an end-user work station, but it can be a switch, router, or another device seeking network services.
Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...
Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e 5300xl switches running software release E.09.xx or greater use the extended 802.1X client-based authentication. 3400cl and 6400cl switches (and 5300xl switches running a software version earlier than E.09.xx) use 802.1X port- based authentication.
Page 284
Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old Client RADIUS- to RADIUS- Already Us ng Assigned Specified VLAN Port VLAN? Author zed Client VLAN Assign New Client Accept New Client VLAN Same As O to Authorized VLAN...
Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ When there is an authenticated client on a port, the following traffic movement is allowed: • 5300xl switches with software release E.09.xx (client-based authen tication allowing up to 32 authenticated clients per-port): –...
Page 286
Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes 5300xl Switches Only: Where a 5300xl port is configured to accept multi ■ ple 802.1X (and/or Web- or MAC-Authentication) client sessions, all authenticated clients must use the same port-based, untagged VLAN membership.
1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 288
Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) 1. Enable 802.1X authentication on the individual ports you want to serve as authenticators. On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch.
Page 290
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Syntax: aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1X authenti- cators with current per- port authenticator configura- tion. To activate configured 802.1X operation, you must enable 802.1X authentication.
Page 291
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Available only on 5300xl switches running software release E.09.xx or greater. Specifies the maximum number of 802.1X-authenticated client sessions allowed on each of the ports in < port-list >. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts deter- mines the VLAN to which the port is assigned during...
Page 292
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [max-requests < 1 - 10 >] Sets the number of authentication attempts that must time-out before authentication fails and the authenti- cation session ends.
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauthenticate] Forces reauth en tic at ion (unless the authenticator is in “HELD” state). [clear-statistics] Clears authenticator statistics counters. [logoff-period] Configures the period of time the switch waits for client activity before removing an inactive client from the port.
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Configuration command for EAP-RADIUS authentication. 802.1X (Port-Access) configured for EAP - RADIUS authentication.
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 5. Enable 802.1X Authentication on the Switch After configuring 802.1X authentication as described in the preceding four sections, activate it with this command: Syntax: aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators.
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Acquiring IP addressing from a DHCP server ■ ■ Downloading the 802.1X supplicant software necessary for an authenti cation session The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN.
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.
Page 298
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 10-2. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this...
Page 299
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • If the port is statically configured as a tagged member of a VLAN that is not used by 802.1X Open VLAN mode, the port returns to (Continued) tagged membership in this VLAN upon successful authentication.
Page 300
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.) VLAN Assignment Received from a If the RADIUS server specifies a VLAN for an authenticated supplicant...
Page 302
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
Page 303
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Failed Client Authentication When there is an Unauthorized-Client VLAN configured on an 802.1X authenticator port, an unauthorized client connected to the port has Attempt access only to the network resources belonging to the Unauthorized- 5300xl Running Software Release E.09.xx Client VLAN.
Page 304
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note for 5300xl Switches Running Prior to software release E.09.xx, the 802.1X feature on ProCurve Software Release E.09.xx or Greater: Series 5300xl switches authenticated only one client per-port. Limitation on Using an Unauthorized- Beginning with release E.09.xx, you can optionally enable 5300xl Client VLAN on an 802.1X Port...
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 10-2 on page 10-24 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■...
Page 306
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
Page 307
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration.
Page 308
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 10-31. Syntax: aaa port-access authenticator <...
Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 10-44. 802.1X Open VLAN Operating Notes ■...
Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices and there are multiple clients authenticated on the port, if one client loses access and attempts to re-authenticate, that client will be handled as a new client on the port.
Page 311
Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices In addition to the above, to use port-security on an authenticator port (chapter 11), use the per-port client-limit option to control how many MAC addresses of 802.1X-authenticated devices the port is allowed to learn.
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 10-15 802.1X Supplicant Commands [no] aaa port-access <...
Page 313
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 1. When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch.
Page 315
Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator.
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 10-15 802.1X Supplicant Commands page 10-38 802.1X Open VLAN Mode Commands page 10-21 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 10-48...
Page 317
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [< port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration of ports configured as 802.1X authenticators (For descriptions of these elements, refer to the syntax descriptions under “1.
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port- access authenticator vlan and show port-access authenticator < port-list > com mands as illustrated in figure 10-5.
Page 319
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Thus, in the output shown in figure 10-5: When the Auth VLAN ID is configured and matches the Current VLAN ID, an ■ authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.) When the Unauth VLAN ID is configured and matches the Current VLAN ID,...
Page 320
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 10-3. Output for Determining Open VLAN Mode Status (Figure 10-5, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.
Page 321
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show vlan < vlan-id > Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode. Note that ports B1 and B3 are not in the upper listing, but are incl...
Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...
Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.
Page 324
Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: authorized 802.1X client requires access...
Page 325
Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation s entry shows that port A2 s temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server ncluded an instruction to put the c ent’s access on VLAN 22.
Page 326
Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.
Configuring Port-Based and Client-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 10-4. 802.1X Operating Messages Message Meaning < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X Port authenticators.
Page 328
Configuring Port-Based and Client-Based Access Control (802.1X) Messages Related to 802.1X Operation —This page is intentionally unused— 10-54...
Configuring and Monitoring Port Security Contents Overview ........... . . 11-3 Port Security .
Page 330
Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags ..........11-39 Operating Notes for Port Security .
Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security — page 11-8 page 11-32 Configuring Port Security disabled — page 11-11 page 11-32 Retention of Static Addresses — page 11-16 MAC Lockdown disabled — page 11-21 MAC Lockout disabled —...
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection.
Configuring and Monitoring Port Security Port Security • Limited-Continuous: Sets a finite limit ( 1 - 32 ) to the number of learned addresses allowed per port. • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses.
Configuring and Monitoring Port Security Port Security Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users.
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit...
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 11-8 show mac-address port-security 11-11 < port-list > 11-11 learn-mode 11-11 address-limit 11-14 mac-address 11-14 action 11-15 clear-intrusion-flag 11-15 no port-security 11-15...
Page 337
Configuring and Monitoring Port Security Port Security Figure 11-2. Example Port Security Listing (Ports A7 and A8 Show the Default Setting) With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec ified ports on a switch.
Page 338
Configuring and Monitoring Port Security Port Security Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-address | vlan < vid >] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports. mac-address: Lists the specified MAC address with the port on which it is detected as an authorized address.
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. Add or delete devices from the list of authorized addresses for one or more ■ ports. Clear the Intrusion flag on specific ports ■...
Page 340
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
Page 341
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an un-wanted device to become “authorized”.
Page 342
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) refer to the chapter titled “Interface Access and System Information” in the Management and Configuration Guide for your switch. To set the learn-mode to limited use this command syntax: port-security <port-list> learn-mode limited address-limit <...
Page 343
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-out. MAC addresses learned by using learn- mode continuous or learn-mode limited-continuous age out according to the currently configured MAC age time. (For information on the mac-age-time command, refer to the chapter titled “Interface Access and System Informa...
Page 345
Configuring and Monitoring Port Security Port Security Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
Page 346
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
Page 347
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
Page 348
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. Refer to the command syntax listing under “Configuring Port Security”...
Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port Figure 11-9.
Page 350
Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works.
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC address.
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Page 354
Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 3400cl, 6400cl, 3400cl, 6400cl, Network 4200vl, or 5300x 4200vl or 5300xl Switch Switch There is no need to lock MAC addresses on switches in the internal core network. 3400cl, 6400cl, 3400cl, 6400cl, 4200vl, or 5300x 4200vl,or 5300x...
Page 355
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Page 356
Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fa ils, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 Externa...
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch.
Page 358
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file: Lockout logging format:...
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security] 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion through the following ■ means: • I n the CLI: T he show port-security intrusion-log command displays the – Intrusion Log T he log command displays the Event Log –...
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. From the Main Menu select: 1.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 11-13 on page 11-35) does not indicate an intrusion for port A1, the alert flag for the intru sion on port A1 has already been reset. •...
Page 365
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port A1 has changed to “No”.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command Log Listing with with Secur ty V olation “security” for Detected Search Log L isting with No Secur ty V olation Detected Figure 11-18.Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4.
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses.
Page 369
Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled.
Page 370
Configuring and Monitoring Port Security Operating Notes for Port Security — This page is intentionally unused. — 11-42...
Page 371
Using Authorized IP Managers Contents Overview ........... . . 12-2 Options .
Using Authorized IP Managers Options Options You can configure: ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations Manager or Operator access privileges (for Telnet, SNMPv1, and ■...
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single man ■ agement station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Autho rized Manager IP column, and leave the IP Mask set to 255.255.255.255.
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 12-9. N o t e The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.
Using Authorized IP Managers Defining Authorized Management Stations Enter an Author zed Manager IP address here. Use the default mask to allow access by one management device, or edit the mask to a ow access by a b ock of management devices. See “Building IP Masks”...
Using Authorized IP Managers Defining Authorized Management Stations Figure 12-3.Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103...
Page 378
Using Authorized IP Managers Defining Authorized Management Stations If you omit the < mask bits > when adding a new authorized manager, the switch automatically uses 255.255.255.255. If you do not specify either Manager or Operator access, the switch assigns the Manager access. For example: Omitting a mask in the ip authorized-managers command results in a default mask of 255.255.255.255, which authorizes only the specified station.
Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: Click on the Security tab. Click on [Authorized Addresses].
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
Page 381
Using Authorized IP Managers Building IP Masks Figure 12-6. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
Page 383
Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...
Page 384
Using Authorized IP Managers Operating Notes — This page is intentionally unused. — 12-14...
Key Management System Overview Overview The ProCurve switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex networks and the internet grow and become a part of our daily life and business.
Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 13-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol.
Key Management System Configuring Key Chain Management Adds a new T me-Independent key to the “Procurve1” chain. Displays keys in the key chain entry. Figure 13-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints.
Page 390
Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time (which is the accept-lifetime setting).
Page 391
Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches.
Page 392
Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day.
Page 394
RADIUS reboot after enable … 3-11 See RADIUS. reboot, effect … 3-8, 3-19 SSH recommended application … 3-3 See SSH. re-enable blocked host … 3-8 connection-rate ACL … 3-6 routed traffic … 3-4, 3-11 connection-rate filtering routed traffic, applies to … 3-11 access-control list …...
Page 395
filter type … 9-8 See KMS key chain. idx … 9-8, 9-21 key management system index … 9-8, 9-21 See KMS. operating rules … 9-4, 9-6 KMS port-trunk operation … 9-3, 9-18 accept key time … 13-5, 13-7 show … 9-8 assigning a time-dependent key …...
Page 396
manager password … 2-3, 2-5, 2-6 Port Access manager password recommended … 5-7 client limit … 10-17 MD5 concurrent … 10-17 See RADIUS. Web/MAC … 10-17 message Port access inconsistent value … 11-19 MAC auth … 10-4 multicast address, spanning tree protocol … 9-15 Web auth …...
Page 397
client-limit, web auth, MAC auth … 10-17 open VLAN clients use same VLAN … 10-22 authorized client … 10-23 clients, authenticated per-port … 10-4 configuration … 10-32, 10-34 concurrent with MAC auth … 10-4 general operation … 10-21 concurrent with Web auth … 10-4 mode …...
Page 401
authorized IP managers … 12-12 rules of operation … 4-10 trunk show status and configuration … 4-25 filter, source-port … 9-3, 9-18 terminology … 4-9 LACP, 802.1x not allowed … 10-15 Web authentication See also LACP. aaa authentication … 6-8 Web browser authentication …...