HP 2626 (J4900A/B), 4100gl, 2650 (J4899A/B), 6108 ProCurveconfig# tacacs-server key north40campus

Page 98

TACACS+ Authentication

Configuring TACACS+ on the Switch

For example, you would use the next command to configure a global encryp- tion key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch:

ProCurve(config)# tacacs-server key north40campus

Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server:

ProCurve(config)# tacacs-server host 10.28.227.87 key south10campus

With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.

Controlling Web Browser Interface

Access When Using TACACS+

Authentication

Configuring the switch for TACACS+ authentication does not affect web browser interface access. To prevent unauthorized access through the web browser interface, do one or more of the following:

Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch.

Configure the switch’s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Authorized IP Manager feature does not interfere with TACACS+ operation.)

Disable web browser access to the switch by going to the System Information screen in the Menu interface and configuring the Web Agent Enabled parameter to No.

4-24

Page 97 Page 99
Image 98
Page 97 Page 99
Contents Access Security Guide Page Access Security Guide DecemberPublication Number Contents Terminology Operating Rules and Notes Contents Overview Client Options General FeaturesConfiguring the Switch To Access a Radius Server General Authentication Process Using a TACACS+ Server Viewing the Switch’s Current Authentication ConfigurationConfiguring the Switch’s TACACS+ Server Access Messages Related to TACACS+ Operation Operating NotesConfiguring Secure Shell SSH Local Authentication ProcessVii Generate the Switch’s Server Host CertificateCommon Errors in SSL Setup Configuring and Monitoring Port Security ViiiOperating Notes for Port Security ContentsAccess Levels Web Configuring IP Authorized Managers About Your Switch Manual Set Switch manual set includes the followingConfiguration Management Guide Feature IndexFeature XiiProduct Documentation Feature XiiiXiv TftpContents Getting StartedIntroduction Overview of Access Security FeaturesAccess security features covered in this guide include Getting StartedManagement Access Security Protection Fabric than if you use only local passwordsGeneral Switch Traffic Security Guidelines Management Access Security ProtectionConventions Feature Descriptions by ModelCommand Syntax Statements Port Identity Examples Command PromptsScreen Simulations Sources for More Information Getting Help in the Menu InterfaceIP Addressing Run SetupNeed Only a Quick Start? Main Menu of the Menu interface, selectTo Set Up and Install the Switch in Your Network Interpreting LED behaviorThis page is intentionally unused Configuring Username and Password Security Overview Web browser interfaceT e U t i o n To set a new password Configuring Local Password SecurityMenu Setting Passwords Console PasswordsCommands Used in This Section CLI Setting Passwords and UsernamesContinue Deletion of password protection? No Click on the Security tab Web Setting Passwords and UsernamesClick on Device Passwords When Security Is Important Front-Panel SecurityClear Button ResetClearFront-Panel Button Functions Press and hold the Reset button Reset ButtonRestoring the Factory Default Configuration Configuring Front-Panel Security ResetClear Self TestSyntax show front-panel-security Default Front-Panel Security Settings Either form of the command enables password-clear Changing the Operation of the Reset+Clear Combination Example of Re-Enabling the Clear Button’s Default OperationDefault configuration settings Password RecoveryDisabling or Re-Enabling the Password Recovery Process Management access to the switchSteps for Disabling Password-Recovery No front-panel-security password-recoveryPassword Recovery Process 11. Example of the Steps for Disabling Password-RecoveryThis page is intentionally unused Overview Client Options General Features Overview Radius server uses the device MAC address as the username Lock a particular device to a specific switch and portClient Options General Features Web-based Authentication How Web and MAC Authentication OperateAuthenticator Operation Progress Message During Authentication MAC-based Authentication How Web and MAC Authentication Operate Terminology Operating Rules and Notes ManagementOperating Rules and Notes General Setup Procedure for Web/MAC Authentication Do These Steps Before You Configure Web/MAC AuthenticationGeneral Setup Procedure for Web/MAC Authentication Addresses Aabbcc-ddeeff Aa-bb-cc-dd-ee-ff AabbccddeeffConfiguring the Switch To Access a Radius Server Radius Server Configuration CommandsExample of Configuring a Switch To Access a Radius Server Configuring Web Authentication OverviewConfigure the Switch for Web-Based Authentication Command Configuration LevelSyntax no aaa port-access web-based e port-list Syntax aaa port-access web-based e port-list max-requests Default 30 seconds Configuring MAC Authentication on Switch Configure the Switch for MAC-Based Authentication Syntax Default 30seconds Show Status and Configuration Web-Based Authentication CommandShow Status and Configuration of MAC-Based Authentication Syntax show port-access port-list mac-based clients Show Client Status Timed out-unauth vlanThis page is intentionally unused TACACS+ Authentication TACACS+ Authentication Example of TACACS+ OperationTerminology Used in Tacacs Applications TACACS+ Authentication General Authentication Setup Procedure General System RequirementsUsing the Encryption Key on Determine the followingTACACS+ Authentication Before You Begin Configuring TACACS+ on the SwitchSwitch offers three command areas for TACACS+ operation This example shows the default authentication configuration CLI Commands Described in this SectionViewing the Switch’s Current Authentication Configuration Example of the Switch’s TACACS+ Configuration Listing Configuring the Switch’s Authentication Methods Authentication for the access being configured is local AAA Authentication ParametersName Default Range Function Method/privilege path. Available only if the primary methodPrimary/Secondary Authentication Table Login Primary to Local authenticationProCurve config# aaa authentication num-attempts Configuring the Switch’s TACACS+ Server Access Switch or your TACACS+ serverSyntax tacacs-server host ip-addr key key-string Details on Configuring Tacacs Servers and Keys Name Default Range Tacacs-server host ip-addr NoneName Default Range Key key-string None null Timeout 1ProCurveconfig# no tacacs-server host To configure north01 as a per-server encryption keyChanges without executing write mem How Authentication OperatesGeneral Authentication Process Using a TACACS+ Server TACACS+ Authentication Terminal must initiate a new session before trying again Local Authentication ProcessAuthentication General Operation Using the Encryption KeyEncryption Options in the Switch ProCurveconfig# tacacs-server key north40campus Operating Notes Tacacs-server configurationMessages Related to TACACS+ Operation CLI Message MeaningTACACS+ Authentication Radius Authentication and Accounting Web Series 2600, 2600-PWR, and 2800 switches Port-Access Radius Authentication and AccountingHost See Radius Server Switch Operating Rules for Radius General Radius Setup Procedure Preparation for Configuring Radius on the SwitchConfiguring the Switch for Radius Authentication Radius Authentication CommandsOutline of the Steps for Configuring Radius Authentication Radius server documentationRadius Authentication and Accounting Example Configuration for Radius Authentication Configure the Switch To Access a Radius Server Configuring Radius Accounting instead of continuing hereRadius Authentication and Accounting Configure the Switch’s Global Radius Parameters T e Radius Authentication and Accounting Listings of Global Radius Parameters Configured In Figure Local Authentication Process Configuring Radius Accounting Radius Accounting CommandsUnder Port-Based Access Control Access methodsConfigured one or more Radius servers to support the switch This section assumes you have alreadySteps for Configuring Radius Accounting Operating Rules for Radius AccountingConfigure the Switch To Access a Radius Server Key key-string Radius Authentication and Accounting Start-Stop Syntax no aaa accounting update periodic 1 Viewing Radius Statistics General Radius StatisticsValues for Show Radius Host Output Figure Term DefinitionRadius Authentication Statistics Syntax show authentication14. Listing the Accounting Configuration in the Switch Radius Accounting StatisticsChanging RADIUS-Server Access Order 17. Search Order for Accessing a Radius Server18. Example of New Radius Server Search Order Messages Related to Radius Operation Message MeaningThis page is intentionally unused Configuring Secure Shell SSH Client Public Key Authentication Model Configuring Secure Shell SSHUse a key to authenticate itself to the switch Using these algorithms unless otherwise notedTerminology Prerequisite for Using SSH Public Key FormatsPrimary SSH AuthenticationSSH Options Configuring Secure Shell SSH General Operating Rules and Notes SSH-Related Commands in This Section Configuring the Switch for SSH OperationAssign Local Login Operator and Enable Manager Password Generate the Switch’s Public and Private Key Pair Example of Configuring Local PasswordsPair automatically disables SSH To the switch using the earlier pairCLI kill command Operation Provide the Switch’s Public Key to ClientsFor example, to generate and display a new key Example of a Public Key Generated by the Switch Inserted Bit Exponent e Modulus n Switch’s Public and Private Key Pair on To enable SSH on the switch Always 896 bits 49, 80, 1506,Configure the Switch for SSH Authentication U t i o n T eOption B Configuring the Switch for Client Public-Key SSH Copies a public key file into the switch Further Information on SSH Client Public-Key Authentication Use an SSH Client To Access the SwitchConfiguring Secure Shell SSH 14. Example of a Client Public Key Property Supported Comments Value AsciiDeletes the client-public-key file from the switch U t i o n Messages Related to SSH Operation 00000K Peer unreachableGenerating new RSA host key. If Configuring Secure Socket Layer SSL Steps for Configuring and Using SSL for SwitchServer Certificate authentication with User Password Configuring Secure Socket Layer SSLOtherwise noted 3DES 168-bit, 112 EffectiveRC4 40-bit, 128-bit Configuring Secure Socket Layer SSL Prerequisite for Using SSL General Operating Rules and Notes Configuring the Switch for SSL Operation SSL-Related CLI Commands in This SectionSecurity Tab Password Button Verified unequivocally Generate the Switch’s Server Host CertificateParticular switch/client session, and then discarded Earlier certificateTo Generate or Erase the Switch’s Server Certificate with CLIFor example, to generate a key and a new host certificate Comments on Certificate FieldsCertificate Field Descriptions Field Name DescriptionCan resume SSL operation For example, to display the new server host certificateConfiguring Secure Socket Layer SSL Configuring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Example of a Certificate Request and Reply T e Zeroize the switch’s host certificate or certificate key. Using the CLI interface to enable SSLUsing the web browser interface to enable SSL Execute no web-management sslEnable SLL Port number Selection Common Errors in SSL Setup Error During Possible CauseThis page is intentionally unused Configuring Port-Based Access Control Operating Rules for Authorized-ClientConfiguring Port-Based Access Control Why Use Port-Based Access Control? Configuring Port-Based Access Control Example of an 802.1X Application How 802.1X Operates Switch-Port Supplicant Operation Example of Supplicant OperationAuthenticator at the same time 802.1X standard General Operating Rules and Notes Configuring Port-Based Access Control General Setup Procedure for Port-Based Access Control Do These Steps Before You Configure 802.1X OperationOverview Configuring 802.1X Authentication on Switch Authenticators operate as expectedConfiguring Port-Based Access Control 802.1X Authentication Commands Configuring Switch Ports as 802.1X AuthenticatorsEnable 802.1X Authentication on Selected Ports Quiet-period 0 Max-requests 1 Clears authenticator statistics counters Configure the 802.1X Authentication Method Example of 802.1X Port-Access AuthenticationEnable 802.1X Authentication on the Switch Enter the Radius Host IP AddressesIntroduction 802.1X Open Vlan Mode802.1X-Related Show Commands Radius server configuration Use Models for 802.1X Open Vlan Modes Membership in the Vlan1X Open Vlan Mode Options 802.1X Open Vlan Mode802.1X Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Setting Up and Configuring 802.1X Open Vlan Mode Before you configure the 802.1X Open Vlan mode on a portMised by an unauthorized client Vlan Operation Activate authentication on the switchPort-Security To Allow Only 802.1X Devices on ProCurveconfig# aaa authentication port-access eap-radius 802.1X Open Vlan Operating Notes ProCurveconfig# aaa port-access authenticator e A10 Enables 802.1X authentication on the port 802.1X Authentication Commands 802.1X Supplicant Commands Default supplicant parameters or any previously configured Syntax aaa port-access supplicant ethernet port-list Enter secret password Repeat secret passwordMax-start 1 Displaying 802.1X Configuration Statistics, and Counters Show Commands for Port-Access AuthenticatorShow port-access authenticator Syntax Config e port-list Viewing 802.1X Open Vlan Mode Status Access Control Open Vlan Mode Status802.1X authentication AuthenticatorNo Pvid The port is not an untagged member of any Vlan Status Indicator MeaningCurrent Vlan ID Switch reboots Show Commands for Port-Access SupplicantSupplicant port detects a different authenticator device How RADIUS/802.1X Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment Messages Related to 802.1X Operation 1X Operating MessagesConfiguring and Monitoring Port Security Cast traffic Configuring and Monitoring Port SecurityBasic Operation Blocking Unauthorized Traffic Switch a Physical Topology Logical Topology for Access to Switch aSwitch B Switch CPlanning Port Security Commands Port Security Command Options OperationPort Security Commands Used in This Section Acquires and maintains authorized addresses080090-1362f2 00f031-423fc1 4 b0-880a80 the authorized addressAddress-limit integer Clear-intrusion-flag Learned MAC Addresses Displaying Current Port Security SettingsRetention of Static MAC Addresses Assigned/Authorized MAC AddressesUsing the CLI To Display Port Security Settings Configuring Port Security Specifying Authorized Devices and Intrusion ResponsesAdding a MAC Address to an Existing Port List Example of Adding an Authorized Device to a Port Example of Adding a Second Authorized Device to a PortDevice’s MAC address. For example See the MAC Address entry in the table onAddress configuration. Refer to the Note on Remove 0c0090-123456 from the Authorized Address listMAC Lockdown Example of Port A1 After Removing One MAC AddressConfiguring and Monitoring Port Security Differences Between MAC Lockdown and Port Security MAC Lockdown Operating Notes Deploying MAC Lockdown MAC Lockdown Deployed At the Network Edge Provides Security Inside the Core Network as well, not just on the edge Edge switchesAddress and stealing data External Network X e d U s e r s MAC Lockout 11. Listing Locked Down PortsConfiguring and Monitoring Port Security Port Security and MAC Lockout 12. Listing Locked Out PortsIP Lockdown Using the IP Lockdown CommandIP lockdown command operates as follows Operating Rules for IP LockdownLog command displays the Event Log Web Displaying and Configuring Port Security FeaturesReading Intrusion Alerts and Resetting Alert Flags Click on Port SecurityHow the Intrusion Log Operates As follows Resetting Alert FlagsFlags It detectsType I Intrusion log to display the Intrusion Log 15. Example of the Intrusion Log DisplayConfiguring and Monitoring Port Security List intrusion log content 18. Example of Port Status Screen After Alert Flags Reset Using the Event Log To Find Intrusion Alerts Event Log lists port security intrusions asOperating Notes for Port Security Configuring and Monitoring Port Security ProCurve Series 2600/2600-PWR and 2800 Switches Traffic/Security Filters10-2 Filter for the Actions Shown in Figure 10-3Using Source-Port Filters Operating Rules for Source-Port FiltersConfiguring a Source-Port Filter 10-5ProCurveconfig# filter source-port trk1 drop trk2,10-15 10-6Source Port Destination Action Ports Viewing a Source-Port Filter10-7 Filter Indexing 10-8Editing a Source-Port Filter 10-9Operating Rules for Named Source-Port Filters Using Named Source-Port FiltersDefining and Configuring Named Source-Port Filters 10-1010-11 10-12 Sample Configuration for Named Source-Port FiltersViewing a Named Source-Port Filter Applying Example Named Source-Port Filters 10-14 Source Port10-15 10-16 10-17 10-18 Using Authorized IP Managers Operating Notes 11-1Authorized IP Manager Features Using Authorized IP ManagersYou can configure Access LevelsConfiguration Options 11-4 Defining Authorized Management StationsOverview of IP Mask Operation From the console Main Menu, select Menu Viewing and Configuring IP Authorized ManagersSwitch Configuration … IP Authorized Managers 11-5Authorized IP Managers Commands Used in This Section CLI Viewing and Configuring Authorized IP ManagersListing the Switch’s Current Authorized IP Managers IP Mask Configuring IP Authorized Managers for the Switch11-7 Address of the authorized manager you want to delete 11-8Building IP Masks Web Configuring IP Authorized ManagersConfiguring One Station Per Authorized Manager IP Entry Analysis of IP Mask for Single-Station Entries11-10 Any value from 0 toAdditional Examples for Authorizing Multiple Stations 11-11Operating Notes Index IndexSee RADIUS. message See SSH. proxy Web server … Quick start … Show accounting … 5-28 show authentication … See RADIUS. troubleshooting Vlan This page is intentionally unused December
Related manuals
Manual 88 pages 37.5 Kb Manual 228 pages 26.31 Kb
Top Page Image Contents