HP 4100gl, 6108 Device’s MAC address. For example, See the MAC Address entry in the table on

Page 245

Configuring and Monitoring Port Security

Port Security Command Options and Operation

If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command. For example, suppose port A1 allows one authorized device and already has a device listed:

 

Figure 9-6. Example of Port Security on Port A1 with an Address Limit of “1”

 

To add a second authorized device to port A1, execute a port-securitycommand

 

for port A1 that raises the address limit to 2 and specifies the additional

 

device’s MAC address. For example:

 

ProCurve(config)# port-security a1 mac-address 0c0090-

 

456456 address-limit 2

 

Removing a Device From the “Authorized” List for a Port Configured

 

for Learn-Mode Static. This command option removes unwanted devices

 

(MAC addresses) from the Authorized Addresses list. (An Authorized Address

 

list is available for each port for which Learn Mode is currently set to “Static”.

 

See the “MAC Address” entry in the table on 9-8.)

 

 

C a u t i o n

The address-limitsetting controls how many MAC addresses are allowed in

 

the Authorized Addresses list for a given port. If you remove a MAC address

 

without also reducing the address limit by 1, the port may later detect and

 

accept the same or another MAC address that you do not want in the Autho-

 

rized Address list. Thus, if you use the CLI to remove a MAC address that is

 

no longer authorized, you should first reduce the Address Limit (address-limit)

 

integer by 1, as shown in the next example. This prevents the possibility of the

 

same device or another device on the network from automatically being

 

accepted as “authorized” for that port. (You can prevent the port from learning

 

unauthorized MAC addresses by using the learn-mode configured option

 

instead of the learn-mode static option. Refer to the Note on page 9-8.)

 

 

9-15

Page 244 Page 246
Image 245
Page 244 Page 246
Contents Access Security Guide Page December Access Security GuidePublication Number Contents Terminology Operating Rules and Notes Contents Overview Client Options General FeaturesConfiguring the Switch To Access a Radius Server Configuring the Switch’s TACACS+ Server Access Viewing the Switch’s Current Authentication ConfigurationGeneral Authentication Process Using a TACACS+ Server Messages Related to TACACS+ Operation Operating NotesLocal Authentication Process Configuring Secure Shell SSHVii Generate the Switch’s Server Host CertificateCommon Errors in SSL Setup Viii Configuring and Monitoring Port SecurityOperating Notes for Port Security ContentsAccess Levels Web Configuring IP Authorized Managers Switch manual set includes the following About Your Switch Manual SetFeature Feature IndexConfiguration Management Guide XiiXiii Product Documentation FeatureTftp XivGetting Started ContentsAccess security features covered in this guide include Overview of Access Security FeaturesIntroduction Getting StartedFabric than if you use only local passwords Management Access Security ProtectionManagement Access Security Protection General Switch Traffic Security GuidelinesConventions Feature Descriptions by ModelCommand Syntax Statements Port Identity Examples Command PromptsScreen Simulations Getting Help in the Menu Interface Sources for More InformationNeed Only a Quick Start? Run SetupIP Addressing Main Menu of the Menu interface, selectInterpreting LED behavior To Set Up and Install the Switch in Your NetworkThis page is intentionally unused Configuring Username and Password Security Web browser interface OverviewT e U t i o n Menu Setting Passwords Configuring Local Password SecurityTo set a new password Console PasswordsCommands Used in This Section CLI Setting Passwords and UsernamesContinue Deletion of password protection? No Click on the Security tab Web Setting Passwords and UsernamesClick on Device Passwords Front-Panel Security When Security Is ImportantClear Button ResetClearFront-Panel Button Functions Press and hold the Reset button Reset ButtonRestoring the Factory Default Configuration ResetClear Self Test Configuring Front-Panel SecuritySyntax show front-panel-security Default Front-Panel Security Settings Either form of the command enables password-clear Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear CombinationDisabling or Re-Enabling the Password Recovery Process Password RecoveryDefault configuration settings Management access to the switchNo front-panel-security password-recovery Steps for Disabling Password-Recovery11. Example of the Steps for Disabling Password-Recovery Password Recovery ProcessThis page is intentionally unused Overview Client Options General Features Overview Radius server uses the device MAC address as the username Lock a particular device to a specific switch and portClient Options General Features Web-based Authentication How Web and MAC Authentication OperateAuthenticator Operation Progress Message During Authentication MAC-based Authentication How Web and MAC Authentication Operate Terminology Management Operating Rules and NotesOperating Rules and Notes Do These Steps Before You Configure Web/MAC Authentication General Setup Procedure for Web/MAC AuthenticationGeneral Setup Procedure for Web/MAC Authentication Aabbcc-ddeeff Aa-bb-cc-dd-ee-ff Aabbccddeeff AddressesRadius Server Configuration Commands Configuring the Switch To Access a Radius ServerExample of Configuring a Switch To Access a Radius Server Overview Configuring Web AuthenticationCommand Configuration Level Configure the Switch for Web-Based AuthenticationSyntax no aaa port-access web-based e port-list Syntax aaa port-access web-based e port-list max-requests Default 30 seconds Configuring MAC Authentication on Switch Configure the Switch for MAC-Based Authentication Syntax Default 30seconds Command Show Status and Configuration Web-Based AuthenticationShow Status and Configuration of MAC-Based Authentication Syntax show port-access port-list mac-based clients Timed out-unauth vlan Show Client StatusThis page is intentionally unused TACACS+ Authentication Example of TACACS+ Operation TACACS+ AuthenticationTerminology Used in Tacacs Applications TACACS+ Authentication General System Requirements General Authentication Setup ProcedureDetermine the following Using the Encryption Key onTACACS+ Authentication Before You Begin Configuring TACACS+ on the SwitchSwitch offers three command areas for TACACS+ operation This example shows the default authentication configuration CLI Commands Described in this SectionViewing the Switch’s Current Authentication Configuration Example of the Switch’s TACACS+ Configuration Listing Configuring the Switch’s Authentication Methods Name Default Range Function AAA Authentication ParametersAuthentication for the access being configured is local Method/privilege path. Available only if the primary methodLogin Primary to Local authentication Primary/Secondary Authentication TableProCurve config# aaa authentication num-attempts Switch or your TACACS+ server Configuring the Switch’s TACACS+ Server AccessSyntax tacacs-server host ip-addr key key-string Name Default Range Tacacs-server host ip-addr None Details on Configuring Tacacs Servers and KeysTimeout 1 Name Default Range Key key-string None nullTo configure north01 as a per-server encryption key ProCurveconfig# no tacacs-server hostChanges without executing write mem How Authentication OperatesGeneral Authentication Process Using a TACACS+ Server TACACS+ Authentication Terminal must initiate a new session before trying again Local Authentication ProcessAuthentication General Operation Using the Encryption KeyEncryption Options in the Switch ProCurveconfig# tacacs-server key north40campus Messages Related to TACACS+ Operation Tacacs-server configurationOperating Notes CLI Message MeaningTACACS+ Authentication Radius Authentication and Accounting Radius Authentication and Accounting Web Series 2600, 2600-PWR, and 2800 switches Port-AccessHost See Radius Server Switch Operating Rules for Radius Preparation for Configuring Radius on the Switch General Radius Setup ProcedureRadius Authentication Commands Configuring the Switch for Radius AuthenticationRadius server documentation Outline of the Steps for Configuring Radius AuthenticationRadius Authentication and Accounting Example Configuration for Radius Authentication Configuring Radius Accounting instead of continuing here Configure the Switch To Access a Radius ServerRadius Authentication and Accounting Configure the Switch’s Global Radius Parameters T e Radius Authentication and Accounting Listings of Global Radius Parameters Configured In Figure Local Authentication Process Radius Accounting Commands Configuring Radius AccountingConfigured one or more Radius servers to support the switch Access methodsUnder Port-Based Access Control This section assumes you have alreadyOperating Rules for Radius Accounting Steps for Configuring Radius AccountingConfigure the Switch To Access a Radius Server Key key-string Radius Authentication and Accounting Start-Stop Syntax no aaa accounting update periodic 1 General Radius Statistics Viewing Radius StatisticsTerm Definition Values for Show Radius Host Output FigureSyntax show authentication Radius Authentication StatisticsRadius Accounting Statistics 14. Listing the Accounting Configuration in the Switch17. Search Order for Accessing a Radius Server Changing RADIUS-Server Access Order18. Example of New Radius Server Search Order Message Meaning Messages Related to Radius OperationThis page is intentionally unused Configuring Secure Shell SSH Configuring Secure Shell SSH Client Public Key Authentication ModelUsing these algorithms unless otherwise noted Use a key to authenticate itself to the switchTerminology Public Key Formats Prerequisite for Using SSHPrimary SSH AuthenticationSSH Options Configuring Secure Shell SSH General Operating Rules and Notes SSH-Related Commands in This Section Configuring the Switch for SSH OperationAssign Local Login Operator and Enable Manager Password Example of Configuring Local Passwords Generate the Switch’s Public and Private Key PairPair automatically disables SSH To the switch using the earlier pairCLI kill command Operation Provide the Switch’s Public Key to ClientsFor example, to generate and display a new key Example of a Public Key Generated by the Switch Inserted Bit Exponent e Modulus n Switch’s Public and Private Key Pair on To enable SSH on the switch 49, 80, 1506, Always 896 bitsU t i o n T e Configure the Switch for SSH AuthenticationOption B Configuring the Switch for Client Public-Key SSH Copies a public key file into the switch Use an SSH Client To Access the Switch Further Information on SSH Client Public-Key AuthenticationConfiguring Secure Shell SSH 14. Example of a Client Public Key Ascii Property Supported Comments ValueDeletes the client-public-key file from the switch U t i o n 00000K Peer unreachable Messages Related to SSH OperationGenerating new RSA host key. If Steps for Configuring and Using SSL for Switch Configuring Secure Socket Layer SSLConfiguring Secure Socket Layer SSL Server Certificate authentication with User PasswordOtherwise noted 3DES 168-bit, 112 EffectiveRC4 40-bit, 128-bit Configuring Secure Socket Layer SSL Prerequisite for Using SSL General Operating Rules and Notes SSL-Related CLI Commands in This Section Configuring the Switch for SSL OperationSecurity Tab Password Button Particular switch/client session, and then discarded Generate the Switch’s Server Host CertificateVerified unequivocally Earlier certificateCLI To Generate or Erase the Switch’s Server Certificate withCertificate Field Descriptions Comments on Certificate FieldsFor example, to generate a key and a new host certificate Field Name DescriptionFor example, to display the new server host certificate Can resume SSL operationConfiguring Secure Socket Layer SSL Configuring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Example of a Certificate Request and Reply T e Using the web browser interface to enable SSL Using the CLI interface to enable SSLZeroize the switch’s host certificate or certificate key. Execute no web-management sslEnable SLL Port number Selection Error During Possible Cause Common Errors in SSL SetupThis page is intentionally unused Operating Rules for Authorized-Client Configuring Port-Based Access ControlConfiguring Port-Based Access Control Why Use Port-Based Access Control? Configuring Port-Based Access Control Example of an 802.1X Application How 802.1X Operates Example of Supplicant Operation Switch-Port Supplicant OperationAuthenticator at the same time 802.1X standard General Operating Rules and Notes Configuring Port-Based Access Control Do These Steps Before You Configure 802.1X Operation General Setup Procedure for Port-Based Access ControlAuthenticators operate as expected Overview Configuring 802.1X Authentication on SwitchConfiguring Port-Based Access Control 802.1X Authentication Commands Configuring Switch Ports as 802.1X AuthenticatorsEnable 802.1X Authentication on Selected Ports Quiet-period 0 Max-requests 1 Clears authenticator statistics counters Example of 802.1X Port-Access Authentication Configure the 802.1X Authentication MethodEnter the Radius Host IP Addresses Enable 802.1X Authentication on the SwitchIntroduction 802.1X Open Vlan Mode802.1X-Related Show Commands Radius server configuration Membership in the Vlan Use Models for 802.1X Open Vlan Modes802.1X Open Vlan Mode 1X Open Vlan Mode Options802.1X Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Before you configure the 802.1X Open Vlan mode on a port Setting Up and Configuring 802.1X Open Vlan ModeMised by an unauthorized client Vlan Operation Activate authentication on the switchPort-Security To Allow Only 802.1X Devices on ProCurveconfig# aaa authentication port-access eap-radius 802.1X Open Vlan Operating Notes ProCurveconfig# aaa port-access authenticator e A10 Enables 802.1X authentication on the port 802.1X Authentication Commands 802.1X Supplicant Commands Default supplicant parameters or any previously configured Enter secret password Repeat secret password Syntax aaa port-access supplicant ethernet port-listMax-start 1 Show Commands for Port-Access Authenticator Displaying 802.1X Configuration Statistics, and CountersShow port-access authenticator Syntax Config e port-list Viewing 802.1X Open Vlan Mode Status 802.1X authentication Open Vlan Mode StatusAccess Control AuthenticatorNo Pvid The port is not an untagged member of any Vlan Status Indicator MeaningCurrent Vlan ID Switch reboots Show Commands for Port-Access SupplicantSupplicant port detects a different authenticator device How RADIUS/802.1X Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment 1X Operating Messages Messages Related to 802.1X OperationConfiguring and Monitoring Port Security Cast traffic Configuring and Monitoring Port SecurityBasic Operation Blocking Unauthorized Traffic Switch B Physical Topology Logical Topology for Access to Switch aSwitch a Switch CPlanning Port Security Port Security Commands Used in This Section Port Security Command Options OperationCommands Acquires and maintains authorized addresses00f031-423fc1 4 b0-880a80 the authorized address 080090-1362f2Address-limit integer Clear-intrusion-flag Retention of Static MAC Addresses Displaying Current Port Security SettingsLearned MAC Addresses Assigned/Authorized MAC AddressesUsing the CLI To Display Port Security Settings Specifying Authorized Devices and Intrusion Responses Configuring Port SecurityAdding a MAC Address to an Existing Port List Example of Adding a Second Authorized Device to a Port Example of Adding an Authorized Device to a PortSee the MAC Address entry in the table on Device’s MAC address. For exampleRemove 0c0090-123456 from the Authorized Address list Address configuration. Refer to the Note onExample of Port A1 After Removing One MAC Address MAC LockdownConfiguring and Monitoring Port Security Differences Between MAC Lockdown and Port Security MAC Lockdown Operating Notes Deploying MAC Lockdown MAC Lockdown Deployed At the Network Edge Provides Security Inside the Core Network as well, not just on the edge Edge switchesAddress and stealing data External Network X e d U s e r s 11. Listing Locked Down Ports MAC LockoutConfiguring and Monitoring Port Security 12. Listing Locked Out Ports Port Security and MAC LockoutIP lockdown command operates as follows Using the IP Lockdown CommandIP Lockdown Operating Rules for IP LockdownReading Intrusion Alerts and Resetting Alert Flags Web Displaying and Configuring Port Security FeaturesLog command displays the Event Log Click on Port SecurityHow the Intrusion Log Operates Flags Resetting Alert FlagsAs follows It detects15. Example of the Intrusion Log Display Type I Intrusion log to display the Intrusion LogConfiguring and Monitoring Port Security List intrusion log content 18. Example of Port Status Screen After Alert Flags Reset Event Log lists port security intrusions as Using the Event Log To Find Intrusion AlertsOperating Notes for Port Security Configuring and Monitoring Port Security Traffic/Security Filters ProCurve Series 2600/2600-PWR and 2800 Switches10-2 10-3 Filter for the Actions Shown in FigureOperating Rules for Source-Port Filters Using Source-Port Filters10-5 Configuring a Source-Port Filter10-6 ProCurveconfig# filter source-port trk1 drop trk2,10-15Source Port Destination Action Ports Viewing a Source-Port Filter10-7 10-8 Filter Indexing10-9 Editing a Source-Port FilterDefining and Configuring Named Source-Port Filters Using Named Source-Port FiltersOperating Rules for Named Source-Port Filters 10-1010-11 10-12 Sample Configuration for Named Source-Port FiltersViewing a Named Source-Port Filter Applying Example Named Source-Port Filters Source Port 10-1410-15 10-16 10-17 10-18 Operating Notes 11-1 Using Authorized IP ManagersUsing Authorized IP Managers Authorized IP Manager FeaturesYou can configure Access LevelsConfiguration Options 11-4 Defining Authorized Management StationsOverview of IP Mask Operation Switch Configuration … IP Authorized Managers Menu Viewing and Configuring IP Authorized ManagersFrom the console Main Menu, select 11-5Authorized IP Managers Commands Used in This Section CLI Viewing and Configuring Authorized IP ManagersListing the Switch’s Current Authorized IP Managers IP Mask Configuring IP Authorized Managers for the Switch11-7 11-8 Address of the authorized manager you want to deleteConfiguring One Station Per Authorized Manager IP Entry Web Configuring IP Authorized ManagersBuilding IP Masks Analysis of IP Mask for Single-Station EntriesAny value from 0 to 11-1011-11 Additional Examples for Authorizing Multiple StationsOperating Notes Index IndexSee RADIUS. message See SSH. proxy Web server … Quick start … Show accounting … 5-28 show authentication … See RADIUS. troubleshooting Vlan This page is intentionally unused December
Related manuals
Manual 88 pages 37.5 Kb Manual 228 pages 26.31 Kb
Top Page Image Contents