Access Security Guide www.hp.com/go/hpprocurve HP ProCurve Series 5300xl Switches Series 3400cl Switches
Contents 9 Configuring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acces
5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-6 n/a Configu
RADIUS Authentication and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challenge-response authentication p
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS You must have at least one RADIUS server a
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS serv
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authenti
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note This step assumes you have already configured the RADIUS s
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADI
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords
Contents 10 Configuring and Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section d
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can confi
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication dead-time < 1 - 1440 > Optional. Specifies the time in min
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-5. Example of Global Configuration Exercise for RADIUS
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Acces
RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already: Configured RADIUS authentication on
RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS
RADIUS Authentication and Accounting Configuring RADIUS Accounting – Optional—if you are also configuring the switch for RADIUS authentication, and n
Contents Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Configuring IP Authorized
RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS c
RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non-default
RADIUS Authentication and Accounting Configuring RADIUS Accounting Start-Stop: • Send a start record accounting notice at the beginning of the acc
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optiona
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-
RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Round Trip Time The time interval between the most recent Accounting-
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting inter
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Swit
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003
Getting Started Contents 1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS ser
6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI Web Generating a public/private key pair on the switch No n/a page 6-
Configuring Secure Shell (SSH) Terminology Note SSH in HP Procurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH
Configuring Secure Shell (SSH) Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for po
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publ
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Oper
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes Public keys generated on an SSH client must be e
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section
Getting Started Introduction Introduction This Access Security Guide is intended for use with the following switches: HP ProCurve Switch 5304xl
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Configuring Local Passwords 2. Generating the Switch’s
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the swit
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before s
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerprints" of the Same Switch Phonetic "Hash&qu
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an S
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (de
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourse
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< l
Getting Started Overview of Access Security Features Port-Based Access Control (802.1x) (page 9-1): On point-to-point connections, enables the swit
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution To allow SSH access only to clients having the correct public key, yo
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-13 shows how to check the results of the above commands. Lists the cu
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured th
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Note on Public The actual content of a public key entry in
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicate
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa]Generating new RS
7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Started General Switch Traffic Security Guideline General Switch Traffic Security Guideline Where the switch is running multiple security opti
Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI Web Generating a Self Signed Certificate on the switch No n/a
Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Browser 1. Switch-to-Client SSL Cert. 2. User-to-Switch (login pas
Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes Once you generate a certificate on the sw
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in Th
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Becau
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in th
Getting Started Command Syntax Conventions Note on ACL ACLs can enhance network security by blocking selected IP traffic, and can Security Use serve
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note s “Zeroizing” the switch’s server host certificate or key automat
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers in
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with o
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE---
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate o
Getting Started Simulating Display Output Simulating Display Output Commands or command output positioned to simulate displays of switch information i
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused. — 7-22
8 Traffic/Security Filters Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic/Security Filters Overview Overview Applicable Switch Models. As of September, 2004, Traffic/Security filters are available on these current H
Traffic/Security Filters Filter Types and Operation Filter Limits The switch accepts up to 101 static filters. These limitations apply: Source-port
Traffic/Security Filters Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end no
Traffic/Security Filters Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the switch appear a
Traffic/Security Filters Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X
Traffic/Security Filters Filter Types and Operation Table 8-2. Multicast Filter Limits on the 5300xl Switches Max-VLANs Setting Maximum # of Multicas
Traffic/Security Filters Configuring Traffic/Security Filters Protocol Filters (5300xl Only) This filter type enables the switch to forward or drop, o
Traffic/Security Filters Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-num
Getting Started Related Publications Port Numbering Conventions HP ProCurve stackable switches designate individual ports with sequential numbers (1,
Traffic/Security Filters Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a s
Traffic/Security Filters Configuring Traffic/Security Filters 5, then create a trunk with ports 5 and 6, and display the results, you would see the fo
Traffic/Security Filters Configuring Traffic/Security Filters Figure 8-5. Assigning Additional Destination Ports to an Existing Filter Configuring a M
Traffic/Security Filters Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 8-3 on a 5300xl switch
Traffic/Security Filters Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by in
Traffic/Security Filters Configuring Traffic/Security Filters Filter Index Numbers (Automatically Assigned) Lists all filters configured in the switch
Traffic/Security Filters Configuring Traffic/Security Filters — This page is intentionally unused. — 8-16
9 Configuring Port-Based Access Control (802.1x) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Port-Based Access Control (802.1x) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1x Authenticators D
Configuring Port-Based Access Control (802.1x) Overview Local authentication of 802.1x clients using the switch’s local username and password (as a
Getting Started Related Publications Management and Configuration Guide. Use the Management and Con-figuration Guide for information on: Using the
Configuring Port-Based Access Control (802.1x) Overview Authenticating One Switch to Another. 802.1x authentication also enables the switch to operat
Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a d
Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between
Configuring Port-Based Access Control (802.1x) Terminology • A “failure” response continues the block on port B5 and causes port A1 to wait for the “
Configuring Port-Based Access Control (802.1x) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes On a port configured for 802.1x with RADIUS authentication, if the
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) General Setup Procedure for Port-Based A
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authenticat
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) 7. If you are using Port Security on th
Getting Started Getting Documentation From the Web Getting Documentation From the Web 1. Go to the HP Procurve website at http://www.hp.com/go/hpproc
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Syntax: aaa port-access authenticator < port-list
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Sy
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Sy
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This ta
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you select
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 9-14 802.1x Supplicant
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Table 9-2. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Res
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthor
Getting Started Sources for More Information Sources for More Information If you need information on specific parameters in the menu interface, ref
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Ru
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN • When a client becomes authen
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assume
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Note that as an alternative, you can configure the switch to use local password a
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius h
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Inspecting 802.1x Open VLAN Mode Operation. For information and an example on vi
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Option For Authent
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Note on If the po
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addressing. If you just want to give the switch an IP address so that it can com
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 1. When po
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-ac
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics,
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Contin
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Viewing 802.1x Open VLAN Mode Status You can
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN I
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Synt
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation supplicant port to another without clearing the
Getting Started To Set Up and Install the Switch in Your Network — This page is intentionally unused. — 1-12
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticate
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily un
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 end
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 9-4. 802.1x Operating
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation — This page is intentionally unused. — 9-48
10 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI Web Displaying Current Port Security n/a — page 10-7 page
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security settin
Configuring and Monitoring Port Security Port Security • Limited-Continuous: Sets a finite limit ( 1 - 32 ) to the number of learned addresses allowe
Configuring and Monitoring Port Security Port Security Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a secu
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to th
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show po
Configuring and Monitoring Port Security Port Security Figure 10-2. Example Port Security Listing (Ports A7 and A8 Show the Default Setting) With por
Configuring and Monitoring Port Security Port Security Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-addre
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: Configure port security and edit security
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) action < none | send-alarm | send-disable > Specifies
Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-out. MAC addresses learned by usi
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-8 Set a Password none
Configuring and Monitoring Port Security Port Security Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to autom
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existin
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limi
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted d
Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Lim
Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you d
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair canno
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within y
Configuring and Monitoring Port Security MAC Lockdown 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by th
Configuring and Monitoring Port Security MAC Lockdown M i x e d U s e r s Internal Network External Network Switch 1 Server A Server A is locked dow
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti-cation. You cannot use MAC
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will overri
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion throug
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, a
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 10-13 on page 10
Configuring Username and Password Security Overview Note The manager and operator passwords and (optional) usernames control access to the menu inter
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Clear intrusion flags on all ports. port-security [e] <
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Listing with Security Violation Detected Log Listing w
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder
Configuring and Monitoring Port Security Operating Notes for Port Security HPswitch(config)# port-security e a17 learn-mode static address-limit 2 LA
11 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n
Using Authorized IP Managers Options Options You can configure: Up to 10 authorized manager addresses, where each address applies to either a singl
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station ac
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted ea
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 5. Press [Enter], then [S] (for
Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to acc
Using Authorized IP Managers Web: Configuring IP Authorized Managers To Edit an Existing Manager Access Entry. To change the mask or access level for
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP addres
Using Authorized IP Managers Building IP Masks Figure 11-6. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Manager List Results IP Mask
Using Authorized IP Managers Operating Notes • If you don’t need proxy server access at all on the authorized station, then just disable the proxy se
Using Authorized IP Managers Operating Notes — This page is intentionally unused. — 11-14
12 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
HP Procurve Series 5300xl Switches Series 3400cl Switches Access Security Guide September 2004
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password)
Key Management System Overview Overview The HP Procurve switches covered in this guide provide support for advanced routing capabilities. Security tur
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain
Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 12-1. Adding a New Key C
Key Management System Configuring Key Chain Management Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry.
Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which th
Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it
Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses
Index Numerics 3DES … 6-3, 7-3 802.1x See port-based access control. A aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access
G - I GVRP, static VLAN not advertised … 9-46 IGMP effect on filters … 8-7 IP multicast address range … 8-7 inconsistent value, message … 10-18 intrus
P password browser/console access … 2-4 case-sensitive … 2-5 caution … 2-4 delete … 2-6 deleting with the Clear button … 2-6 if you lose the password
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section pass
prior to … 10-35, 10-36, 10-39 Privacy Enhanced Mode (PEM) See SSH. protocol filters … 8-8 proxy web server … 10-39 Q - R quick start … 1-11 RADIUS ac
keys, zeroing … 6-11 key-size … 6-17 known-host file … 6-13, 6-15 man-in-the-middle spoofing … 6-16 messages, operating … 6-27 OpenSSH … 6-3 operating
messages … 4-25 NAS … 4-3 overview … 1-2 precautions … 4-5 preparing to configure … 4-8 preventing switch lockout … 4-15 privilege level code … 4-7 se
Technical information in this document is subject to change without notice. ©Copyright 2000, 2004. Hewlett-Packard Development Company, L.P. Reproduct
Configuring Username and Password Security Front-Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwo
Configuring Username and Password Security Front-Panel Security When Security Is Important Some customers require a high level of security for informa
Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button a
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboo
Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to st
Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the globa
Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover
Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In th
© Copyright 2000-2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with-out notice. All Rights Rese
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on-clear disabled by
Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete
Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form o
Configuring Username and Password Security Front-Panel Security Figure 2-12. Example of the Steps for Disabling Password-Recovery Password Recovery Pr
3 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-17 — Configure MAC Authenticati
Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logo
Web and MAC Authentication Overview General Features Web and MAC Authentication on the Series 5300XL switches include the following: On a port conf
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access
Contents Contents 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated an
Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the cl
Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have acces
Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes You can configure one type of authentication on a port. That is, the
Web and MAC Authentication Operating Rules and Notes 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port b
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Note on Web/ The switch does not allow Web or MAC Authentication and LA
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” f
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configure the client device’s (hexadecimal) MAC address as both usernam
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to t
Contents Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Disabling the Clear Password Function of th
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Figure 3-4. Example of Configuring a Switch To Access a RADIUS Server 3-16
Web and MAC Authentication Configuring Web Authentication on the Switch Configuring Web Authentication on the Switch Overview 1. If you have not alre
Web and MAC Authentication Configuring Web Authentication on the Switch Configure the Switch for Web-Based Authentication Command Page Configuration
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-bas
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [logoff-period] <
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [redirect-url <u
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not alre
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-3
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1
Contents 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-ser
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-base
Web and MAC Authentication Client Status — This page is intentionally unused. — 3-30
4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACA
TACACS+ Authentication Terminology Used in TACACS Applications: Authentication: The process for granting user access to a device through entry of a
TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: A TACACS+ ser
Contents Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-6 Outline of the Steps for Configuring RADIUS Authentication
TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a
TACACS+ Authentication General Authentication Setup Procedure Note on -Privilege Levels-Caution-When a TACACS+ server authenticates an access request
TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configura-tions or missing data that
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs aaa auth
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the time
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console n/a n/a S
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authenti
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these par
Contents 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ Authentication Configuring TACACS+ on the Switch Note on -Encryption Keys-Syntax: tacacs-server host < ip-addr > [key < key-string &
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none n/a Specifies the
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example
TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command withou
TACACS+ Authentication How Authentication Operates Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or d
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local auth
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to confi
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below.
Comments to this Manuals