ProCurve 3400cl Technical Information Page 1

Access Security Guide www.hp.com/go/hpprocurve HP ProCurve Series 5300xl Switches Series 3400cl Switches

Contents 9 Configuring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acces

5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-6 n/a Configu

RADIUS Authentication and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challenge-response authentication p

RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS You must have at least one RADIUS server a

RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS serv

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authenti

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note This step assumes you have already configured the RADIUS s

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADI

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords

Contents 10 Configuring and Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section d

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can confi

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication dead-time < 1 - 1440 > Optional. Specifies the time in min

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-5. Example of Global Configuration Exercise for RADIUS

RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts

RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Acces

RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already: Configured RADIUS authentication on

RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS

RADIUS Authentication and Accounting Configuring RADIUS Accounting – Optional—if you are also configuring the switch for RADIUS authentication, and n

Contents Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Configuring IP Authorized

RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS c

RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non-default

RADIUS Authentication and Accounting Configuring RADIUS Accounting Start-Stop: • Send a start record accounting notice at the beginning of the acc

RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optiona

RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-

RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Round Trip Time The time interval between the most recent Accounting-

RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and

RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting inter

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Swit

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003

Getting Started Contents 1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS ser

6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI Web Generating a public/private key pair on the switch No n/a page 6-

Configuring Secure Shell (SSH) Terminology Note SSH in HP Procurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH

Configuring Secure Shell (SSH) Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for po

Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publ

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Oper

Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes Public keys generated on an SSH client must be e

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section

Getting Started Introduction Introduction This Access Security Guide is intended for use with the following switches: HP ProCurve Switch 5304xl

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Configuring Local Passwords 2. Generating the Switch’s

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the swit

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before s

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerprints" of the Same Switch Phonetic "Hash&qu

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an S

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (de

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourse

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< l

Getting Started Overview of Access Security Features Port-Based Access Control (802.1x) (page 9-1): On point-to-point connections, enables the swit

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution To allow SSH access only to clients having the correct public key, yo

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-13 shows how to check the results of the above commands. Lists the cu

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured th

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Note on Public The actual content of a public key entry in

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-

Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicate

Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa]Generating new RS

7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Getting Started General Switch Traffic Security Guideline General Switch Traffic Security Guideline Where the switch is running multiple security opti

Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI Web Generating a Self Signed Certificate on the switch No n/a

Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Browser 1. Switch-to-Client SSL Cert. 2. User-to-Switch (login pas

Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-

Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install

Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes Once you generate a certificate on the sw

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in Th

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Becau

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in th

Getting Started Command Syntax Conventions Note on ACL ACLs can enhance network security by blocking selected IP traffic, and can Security Use serve

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note s “Zeroizing” the switch’s server host certificate or key automat

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers in

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with o

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE---

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate o

Getting Started Simulating Display Output Simulating Display Output Commands or command output positioned to simulate displays of switch information i

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused. — 7-22

8 Traffic/Security Filters Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Traffic/Security Filters Overview Overview Applicable Switch Models. As of September, 2004, Traffic/Security filters are available on these current H

Traffic/Security Filters Filter Types and Operation Filter Limits The switch accepts up to 101 static filters. These limitations apply: Source-port

Traffic/Security Filters Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end no

Traffic/Security Filters Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the switch appear a

Traffic/Security Filters Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X

Traffic/Security Filters Filter Types and Operation Table 8-2. Multicast Filter Limits on the 5300xl Switches Max-VLANs Setting Maximum # of Multicas

Traffic/Security Filters Configuring Traffic/Security Filters Protocol Filters (5300xl Only) This filter type enables the switch to forward or drop, o

Traffic/Security Filters Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-num

Getting Started Related Publications Port Numbering Conventions HP ProCurve stackable switches designate individual ports with sequential numbers (1,

Traffic/Security Filters Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a s

Traffic/Security Filters Configuring Traffic/Security Filters 5, then create a trunk with ports 5 and 6, and display the results, you would see the fo

Traffic/Security Filters Configuring Traffic/Security Filters Figure 8-5. Assigning Additional Destination Ports to an Existing Filter Configuring a M

Traffic/Security Filters Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 8-3 on a 5300xl switch

Traffic/Security Filters Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by in

Traffic/Security Filters Configuring Traffic/Security Filters Filter Index Numbers (Automatically Assigned) Lists all filters configured in the switch

Traffic/Security Filters Configuring Traffic/Security Filters — This page is intentionally unused. — 8-16

9 Configuring Port-Based Access Control (802.1x) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Port-Based Access Control (802.1x) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1x Authenticators D

Configuring Port-Based Access Control (802.1x) Overview Local authentication of 802.1x clients using the switch’s local username and password (as a

Getting Started Related Publications Management and Configuration Guide. Use the Management and Con-figuration Guide for information on: Using the

Configuring Port-Based Access Control (802.1x) Overview Authenticating One Switch to Another. 802.1x authentication also enables the switch to operat

Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a d

Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between

Configuring Port-Based Access Control (802.1x) Terminology • A “failure” response continues the block on port B5 and causes port A1 to wait for the “

Configuring Port-Based Access Control (802.1x) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple

Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch

Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes On a port configured for 802.1x with RADIUS authentication, if the

Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) General Setup Procedure for Port-Based A

Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authenticat

Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) 7. If you are using Port Security on th

Getting Started Getting Documentation From the Web Getting Documentation From the Web 1. Go to the HP Procurve website at http://www.hp.com/go/hpproc

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Syntax: aaa port-access authenticator < port-list

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Sy

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Sy

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This ta

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you select

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 9-14 802.1x Supplicant

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Table 9-2. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Res

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthor

Getting Started Sources for More Information Sources for More Information  If you need information on specific parameters in the menu interface, ref

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Ru

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN • When a client becomes authen

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assume

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Note that as an alternative, you can configure the switch to use local password a

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius h

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open

Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Inspecting 802.1x Open VLAN Mode Operation. For information and an example on vi

Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Option For Authent

Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Note on If the po

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring

Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addressing. If you just want to give the switch an IP address so that it can com

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 1. When po

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring

Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-ac

Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics,

Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Contin

Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Viewing 802.1x Open VLAN Mode Status You can

Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and

Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN I

Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Synt

Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation supplicant port to another without clearing the

Getting Started To Set Up and Install the Switch in Your Network — This page is intentionally unused. — 1-12

Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticate

Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily un

Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 end

Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 9-4. 802.1x Operating

Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation — This page is intentionally unused. — 9-48

10 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI Web Displaying Current Port Security n/a — page 10-7 page

Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security settin

Configuring and Monitoring Port Security Port Security • Limited-Continuous: Sets a finite limit ( 1 - 32 ) to the number of learned addresses allowe

Configuring and Monitoring Port Security Port Security Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a secu

2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to th

Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show po

Configuring and Monitoring Port Security Port Security Figure 10-2. Example Port Security Listing (Ports A7 and A8 Show the Default Setting) With por

Configuring and Monitoring Port Security Port Security Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-addre

Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: Configure port security and edit security

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) action < none | send-alarm | send-disable > Specifies

Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-out. MAC addresses learned by usi

Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-8 Set a Password none

Configuring and Monitoring Port Security Port Security Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to autom

Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existin

Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limi

Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted d

Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Lim

Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you d

Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair canno

Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely

Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within y

Configuring and Monitoring Port Security MAC Lockdown 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch

Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level

Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by th

Configuring and Monitoring Port Security MAC Lockdown M i x e d U s e r s Internal Network External Network Switch 1 Server A Server A is locked dow

Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so

Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti-cation. You cannot use MAC

Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will overri

Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion throug

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, a

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 10-13 on page 10

Configuring Username and Password Security Overview Note The manager and operator passwords and (optional) usernames control access to the menu inter

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Clear intrusion flags on all ports. port-security [e] <

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Listing with Security Violation Detected Log Listing w

Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder

Configuring and Monitoring Port Security Operating Notes for Port Security HPswitch(config)# port-security e a17 learn-mode static address-limit 2 LA

11 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n

Using Authorized IP Managers Options Options You can configure: Up to 10 authorized manager addresses, where each address applies to either a singl

Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table

Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station ac

Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted ea

Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 5. Press [Enter], then [S] (for

Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to acc

Using Authorized IP Managers Web: Configuring IP Authorized Managers To Edit an Existing Manager Access Entry. To change the mask or access level for

Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to

Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP addres

Using Authorized IP Managers Building IP Masks Figure 11-6. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet

Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Manager List Results IP Mask

Using Authorized IP Managers Operating Notes • If you don’t need proxy server access at all on the authorized station, then just disable the proxy se

Using Authorized IP Managers Operating Notes — This page is intentionally unused. — 11-14

12 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

HP Procurve Series 5300xl Switches Series 3400cl Switches Access Security Guide September 2004

Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password)

Key Management System Overview Overview The HP Procurve switches covered in this guide provide support for advanced routing capabilities. Security tur

Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain

Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 12-1. Adding a New Key C

Key Management System Configuring Key Chain Management Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry.

Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which th

Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it

Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses

Index Numerics 3DES … 6-3, 7-3 802.1x See port-based access control. A aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access

G - I GVRP, static VLAN not advertised … 9-46 IGMP effect on filters … 8-7 IP multicast address range … 8-7 inconsistent value, message … 10-18 intrus

P password browser/console access … 2-4 case-sensitive … 2-5 caution … 2-4 delete … 2-6 deleting with the Clear button … 2-6 if you lose the password

Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section pass

prior to … 10-35, 10-36, 10-39 Privacy Enhanced Mode (PEM) See SSH. protocol filters … 8-8 proxy web server … 10-39 Q - R quick start … 1-11 RADIUS ac

keys, zeroing … 6-11 key-size … 6-17 known-host file … 6-13, 6-15 man-in-the-middle spoofing … 6-16 messages, operating … 6-27 OpenSSH … 6-3 operating

messages … 4-25 NAS … 4-3 overview … 1-2 precautions … 4-5 preparing to configure … 4-8 preventing switch lockout … 4-15 privilege level code … 4-7 se

Technical information in this document is subject to change without notice. ©Copyright 2000, 2004. Hewlett-Packard Development Company, L.P. Reproduct

Configuring Username and Password Security Front-Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwo

Configuring Username and Password Security Front-Panel Security When Security Is Important Some customers require a high level of security for informa

Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button a

Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboo

Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to st

Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the globa

Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover

Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In th

© Copyright 2000-2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with-out notice. All Rights Rese

Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “

Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on-clear disabled by

Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete

Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form o

Configuring Username and Password Security Front-Panel Security Figure 2-12. Example of the Steps for Disabling Password-Recovery Password Recovery Pr

3 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-17 — Configure MAC Authenticati

Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logo

Web and MAC Authentication Overview General Features Web and MAC Authentication on the Series 5300XL switches include the following: On a port conf

Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access

Contents Contents 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated an

Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the cl

Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have acces

Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged

Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes You can configure one type of authentication on a port. That is, the

Web and MAC Authentication Operating Rules and Notes 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port b

Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Note on Web/ The switch does not allow Web or MAC Authentication and LA

Web and MAC Authentication General Setup Procedure for Web/MAC Authentication c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” f

Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configure the client device’s (hexadecimal) MAC address as both usernam

Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to t

Contents Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Disabling the Clear Password Function of th

Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Figure 3-4. Example of Configuring a Switch To Access a RADIUS Server 3-16

Web and MAC Authentication Configuring Web Authentication on the Switch Configuring Web Authentication on the Switch Overview 1. If you have not alre

Web and MAC Authentication Configuring Web Authentication on the Switch Configure the Switch for Web-Based Authentication Command Page Configuration

Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-bas

Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [logoff-period] <

Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [redirect-url <u

Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not alre

Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-3

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1

Contents 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command

Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-ser

Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows

Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-base

Web and MAC Authentication Client Status — This page is intentionally unused. — 3-30

4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the

TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACA

TACACS+ Authentication Terminology Used in TACACS Applications:  Authentication: The process for granting user access to a device through entry of a

TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following:  A TACACS+ ser

Contents Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-6 Outline of the Steps for Configuring RADIUS Authentication

TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a

TACACS+ Authentication General Authentication Setup Procedure Note on -Privilege Levels-Caution-When a TACACS+ server authenticates an access request

TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configura-tions or missing data that

TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs aaa auth

TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the time

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console n/a n/a S

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authenti

TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these par

Contents 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Configuring TACACS+ on the Switch Note on -Encryption Keys-Syntax: tacacs-server host < ip-addr > [key < key-string &

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none n/a Specifies the

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global

TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example

TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command withou

TACACS+ Authentication How Authentication Operates Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or d

TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local auth

TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “

TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to confi

TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below.