HP 4100gl manual Overview, Why Use Port-Based Access Control?, General Features

Page 136

Configuring Port-Based Access Control (802.1x)

Overview

Overview

Feature

Default

Menu

CLI

Web

 

 

 

 

 

Configuring Switch Ports as 802.1x Authenticators Configuring 802.1x Open VLAN Mode

Configuring Switch Ports to Operate as 802.1x Supplicants Displaying 802.1x Configuration, Statistics, and Counters How 802.1x Affects VLAN Operation

RADIUS Authentication and Accounting

Disabled

n/a

page 6-14

n/a

Disabled

n/a

page 6-20

n/a

Disabled

n/a

page 6-33

n/a

n/a

n/a

page 6-37

n/a

n/a

n/a

page 6-43

n/a

Refer to “RADIUS Authentication and Accounting” on page 3-1

Why Use Port-Based Access Control?

Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a network. Also, the use of DHCP services and zero configuration make access to networking services easily available. This exposes the network to unauthorized use and malicious attacks. While access to the network should be made easy, uncontrolled and unauthorized access is usually not desirable. 802.1x provides access control along with the ability to control user profiles from a central RADIUS server while allowing users access from multiple points within the network.

General Features

802.1x on the Series 4100GL switches includes the following:

Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point-

to-point connections to other 802.1x-aware switches.

Authentication of 802.1x clients using a RADIUS server and either the EAP or CHAP protocol.

Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1x Open VLAN mode).

Supplicant implementation using CHAP authentication and indepen- dent username and password configuration on each port.

Prevention of traffic flow in either direction on unauthorized ports.

6-2

Page 135 Page 137
Image 136
Page 135 Page 137
Contents Access security guide Hp procurve Series 4100gl switches Page HP Procurve Series 4100GL Switches Access Security GuidePublication Number Contents Controlling Web Browser Interface Access When Configuring the Switch for Radius AuthenticationControlling Web Browser Interface Access When Using Radius AuthenticationFurther Information on SSH Client Public-Key Authentication General Setup Procedure for Configuring Switch Ports To Operate As Supplicants for802.1x Connections to Other Switches Operating Rules for Authorized-ClientHow RADIUS/802.1x Authentication Affects Vlan Operation Port Security Command Options and OperationWeb Displaying and Configuring Port Security Features Resetting Alert Flags Operating Notes for Port SecurityDefining Authorized Management Stations Page Getting Started Contents Introduction Overview of Access Security FeaturesGetting Started Xiii Command Prompts Command Syntax ConventionsSimulating Display Output Related Publications Screen SimulationsGetting Started Getting Documentation From the Web Click on technical supportSources for More Information To Set Up and Install the Switch in Your Network Run SetupNeed Only a Quick Start? Main Menu of the Menu interface, selectPage Configuring Username and Password Security Configuring Username and Password Security Feature Default MenuOverview Level Actions PermittedPasswords are case-sensitive Configuring Local Password Security Menu Setting PasswordsTo set a new password Console PasswordsCLI Setting Passwords and Usernames Continue Deletion of password protection? NoConfiguring Manager and Operator Passwords Commands Used in This SectionWeb Setting Passwords and Usernames Click on Device PasswordsClick on the Security tab EnterTACACS+ Authentication Using TACACS+ Authentication Messages Operating NotesTACACS+ Authentication Example of TACACS+ OperationTACACS+ Authentication Terminology Used in Tacacs Applications General System Requirements General Authentication Setup Procedure Result in Operator read-only access. Thus, when configuring Additional features that the application offersAlways used as the secondary access control method Determine the followingTelnet Configuring TACACS+ on the Switch CLI Commands Described in this SectionCommand Before You BeginViewing the Switch’s Current Authentication Configuration This example shows the default authentication configurationConfiguring the Switch’s Authentication Methods AAA Authentication Parameters Name Default Range FunctionAuthentication for the access being configured is local Method/privilege path. Available only if the primary methodPrimary/Secondary Authentication Table Login Primary to Local authenticationHPswitchconfig# aaa authentication num-attempts Configuring the Switch’s TACACS+ Server Access TACACS+ serverSyntax tacacs-server host ip-addr key key-string Name Default Range NoneTimeout 1 None nullHPswitchconfig# no tacacs-server host To configure north01 as a per-server encryption keyGeneral Authentication Process Using a TACACS+ Server How Authentication OperatesChanges without executing write mem TACACS+ Authentication Local Authentication Process AuthenticationUsing the Encryption Key HPswitchconfig# tacacs-server key north40campus Tacacs-server configuration Messages Related to TACACS+ OperationOperating Notes CLI Message MeaningRized persons Radius Authentication and Accounting Controlling Web Browser Interface Access When Using RadiusPort-Access Radius Authentication and AccountingTerminology Switch Operating Rules for Radius General Radius Setup Procedure Preparation for Configuring Radius on the SwitchOutline of the Steps for Configuring Radius Authentication Configuring the Switch for Radius AuthenticationRadius Authentication Commands Used on the specified Radius server. Default null Configure the global Radius parametersRadius server documentation Server IP addressLocal none Example Configuration for Radius Authentication Authentication Process onConfigure the Switch To Access a Radius Server Configuring Radius Accounting instead of continuing hereRadius Authentication and Accounting Configure the Switch’s Global Radius Parameters Key global-key-stringTo an authentication request before counting the attempt as Local Authentication Process Listings of Global Radius Parameters Configured In FigureWord pair for the level you want to enter Radius Accounting Commands Configuring Radius AccountingOn page 3-5 before continuing here Operating Rules for Radius Accounting Steps for Configuring Radius Accounting Configure the Switch To Access a Radius Server Radius Authentication and Accounting Example of Configuring Accounting Types Start-StopUpdate period Viewing Radius Statistics General Radius StatisticsTerm Definition PendingRequestsRadius Authentication Statistics 14. Listing the Accounting Configuration in the Switch Radius Accounting StatisticsChanging RADIUS-Server Access Order 17. Search Order for Accessing a Radius Server18. Example of New Radius Server Search Order Messages Related to Radius Operation Message MeaningPage Configuring Secure Shell SSH Configuring the Switch for SSH OperationClient Public Key Authentication Model Configuring Secure Shell SSH3DES 168-bit Use a key to authenticate itself to the switchDES 56-bit Prerequisite for Using SSH Public Key Formats SSH OptionsSwitch Primary SSH Authenticate Primary Switch Manager Ssh enable localEnable Ssh enable tacacs Ssh enable radiusConfiguring Secure Shell SSH General Operating Rules and Notes Configuring the Switch for SSH Operation SSH-Related Commands in This SectionGenerating the Switch’s Public and Private Key Pair Example of Configuring Local PasswordsCLI kill command To the switch using the earlier pairPair automatically disables SSH For example, to generate and display a new key Providing the Switch’s Public Key to ClientsOperation Example of a Public Key Generated by the Switch Inserted Bit Exponent Modulus Switch’s Public and Private Key Pair on To enable SSH on the switch Version of SSH to accept connections from. default 1-or-2 On the switch by appearing to be youConfiguring the Switch for SSH Authentication Option a Configuring SSH Access for Password-Only SSHU t i o n Configures Use an SSH Client To Access the Switch 14 shows how to check the results of the above commandsFurther Information on SSH Client Public-Key Authentication 15. Example of a Client Public Key Property Supported Comments Value AsciiShow crypto client-public-key babble fingerprint Deletes the client-public-key file from the switch Messages Related to SSH Operation 00000K Peer unreachableKey for the switch Assigning a Local Login Operator Comments on certificate fieldsServer Certificate authentication with User Password Configuring Secure Socket Layer SSL3DES 168-bit, 112 Effective RC4 40-bit, 128-bitPrerequisite for Using SSL General steps for configuring ssl include Client PreparationProvided with your browser General Operating Rules and Notes Assigning a Local Login Operator and Enable ManagerPassword Configuring the Switch for SSL OperationSSL-Related CLI Commands in This Section Security Tab Password Button Generating the Switch’s Server Host Certificate Particular switch/client session, and then discardedVerified unequivocally Earlier certificateCLI commands used to generate a Server Host Certificate CLIFor example, to generate a key and a new host certificate Certificate Field DescriptionsField Name Description CLI Command to view host certificates Host-cert commandCan resume SSL operation For example, to display the new server host certificateInstalled certificate Select the Generate Certificate buttonIii Select Self signed certificate in the type box New key then just select current from the listConfiguring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Certificate Request Certificate Request Reply T e Zeroize the switch’s host certificate or certificate key . Execute no web-management sslEnable SLL Port number Selection Common Errors in SSL setup Error During Possible CausePage General Operating Rules and Notes -9 General Setup Procedure for Port-Based Access ControlMessages Related to 802.1x Operation -47 Why Use Port-Based Access Control? General FeaturesRefer to Radius Authentication and Accounting on 802.1x on the Series 4100GL switches includes the followingConfiguring Port-Based Access Control Authenticating One Switch to Another .1x authentication also Authenticator Operation How 802.1x OperatesSwitch-Port Supplicant Operation Example of Supplicant OperationTerminology 802.1x standard General Operating Rules and Notes Configuring Port-Based Access Control General Setup Procedure for Port-Based Access Control Do These Steps Before You Configure 802.1x OperationOverview Configuring 802.1x Authentication on Switch Authenticators operate as expectedConfiguring Port-Based Access Control Configuring Switch Ports as Authenticators 802.1x Authentication CommandsEnable 802.1x Authentication on Selected Ports To activate 802.1x authentication on the switchTx-period 0 Clears authenticator statistics counters Configure the 802.1x Authentication Method LocalEap-radius Chap-radiusEnable 802.1x Authentication on the Switch Enter the Radius Host IP Addresses802.1x Open Vlan Mode 802.1x-Related Show Commands Radius server configurationIntroduction Use Models for 802.1x Open Vlan Modes Tagged Vlan as the Unauthorized-Client VlanPort as a static, tagged member of the VLAN, membership 802.1x Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Setting Up and Configuring 802.1x Open Vlan Mode Before you configure the 802.1x Open Vlan mode on a portMised by an unauthorized client Port-Security To Allow Only 802.1x Devices on Activate authentication on the switchVlan Operation HPswitchconfig# aaa authentication port-access eap-radius 802.1x Open Vlan Operating Notes Action none send-alarm send-disable Enables 802.1x authentication on the port 802.1x Authentication Commands 802.1x Supplicant Commands Authenticator at the same time Specified portsSyntax aaa port-access supplicant ethernet port-list Enter secret password Repeat secret passwordMax-start 1 Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access AuthenticatorViewing 802.1x Open Vlan Mode Status Page Open Vlan Mode Status To the portConfiguring Port-Based Access Control Supplicant port detects a different authenticator device Show Commands for Port-Access SupplicantSwitch reboots How RADIUS/802.1x Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment Messages Related to 802.1x Operation 1x Operating MessagesPage Blocking Unauthorized Traffic -3 Trunk Group Exclusion -4 Basic OperationRetention of Static Addresses Configuring and Monitoring Port Security Basic OperationBlocking Unauthorized Traffic Trunk Group Exclusion SecurityPlanning Port Security Port Security Command Options Operation Port Security Commands Used in This SectionCommands Acquires and maintains authorized addressesPort Security Parameters ModeAddress address-limit integer Mac-address mac-addrParameter Description Retention of Static AddressesClear- clear-intrusion-flag Displaying Current Port Security Settings Using the CLI To Display Port Security SettingsConfiguring Port Security Configuring and Monitoring Port Security Example of Adding an Authorized Device to a Port Command option removes unwanted devices MAC addresses from Device’s MAC address. For exampleRemoving a Device From the Authorized List for a Port. This Entry in the table onTo automatically become authorized Remove 0c0090-123456 from the Authorized Address listReading Intrusion Alerts and Resetting Alert Flags Web Displaying and Configuring Port Security FeaturesClick on Port Security How the Intrusion Log Operates Example of Multiple Intrusion Log Entries for the Same PortFlags Operates as followsIt detects Intrusion flagType I Intrusion log to display the Intrusion Log 11. Example of the Intrusion Log DisplayList intrusion log content Intrusion Alert on port A1 14. Example of Port Status Screen After Alert Flags Reset Event Log lists port security intrusions asOperating Notes for Port Security Configuring and Monitoring Port Security Page Using Authorized IP Managers  Building IP MasksAuthorized IP Manager Features Using Authorized IP ManagersYou can configure Access LevelsOptions Defining Authorized Management Stations Overview of IP Mask OperationMenu Viewing and Configuring IP Authorized Managers Switch Configuration IP Authorized ManagersBuilding IP Masks on From the console Main Menu, selectCLI Viewing and Configuring Authorized IP Managers Authorized IP Managers Commands Used in This SectionConfiguring IP Authorized Managers for the Switch IP MaskAddress of the authorized manager you want to delete Web Configuring IP Authorized ManagersClick on Authorized Addresses Configuring One Station Per Authorized Manager IP Entry Building IP MasksAuthorized 227 125 Manager IPUsing Authorized IP Managers 125, or 127 can access the switch Building IP MasksAny value from 0 to IP Mask 255 249Results Additional Examples for Authorizing Multiple StationsAuthorized Using Authorized IP Managers Page Index IndexSee port access control OpenSSH … 4-3,5-2 operating notes See SSH.­ proxy Web server … Quick start … SSL See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting Index Page 5990-3032
Related manuals
Manual 306 pages 15.53 Kb
Top Page Image Contents