HP 4100gl Determine the following, Result in Operator read-only access. Thus, when configuring

Page 35

 

TACACS+ Authentication

 

General Authentication Setup Procedure

2. Determine the following:

 

• The IP address(es) of the TACACS+

• The period you want the switch to

server(s) you want the switch to use

wait for a reply to an authentication

for authentication. If you will use

request before trying another

more than one server, determine

server.

which server is your first-choice for

• The username/password pairs you

authentication services.

want the TACACS+ server to use for

• The encryption key, if any, for

controlling access to the switch.

allowing the switch to communicate

• The privilege level you want for

with the server. You can use either a

each username/password pair

global key or a server-specific key,

administered by the TACACS+

depending on the encryption

server for controlling access to the

configuration in the TACACS+

switch.

server(s).

• The username/password pairs you

• The number of log-in attempts you

want to use for local authentication

will allow before closing a log-in

(one pair each for Operator and

session. (Default: 3)

Manager levels).

3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the username/password sets for logging in at the Operator (read-only) privilege level and the sets for logging in at the Manager (read/ write) privilege level.

Note on

When a TACACS+ server authenticates an access request from a switch,

Privilege Levels

it includes a privilege level code for the switch to use in determining which

 

privilege level to grant to the terminal requesting access. The switch

 

interprets a privilege level code of "15" as authorization for the Manager

 

(read/write) privilege level access. Privilege level codes of 14 and lower

 

result in Operator (read-only) access. Thus, when configuring the

 

TACACS+ server response to a request that includes a username/pass-

 

word pair that should have Manager privileges, you must use a privilege

 

level of 15. For more on this topic, refer to the documentation you received

 

with your TACACS+ server application.

 

If you are a first-time user of the TACACS+ service, HP recommends that

 

 

you configure only the minimum feature set required by the TACACS+

 

application to provide service in your network environment. After you

 

have success with the minimum feature set, you may then want to try

 

additional features that the application offers.

 

4. Ensure that the switch has the correct local username and password for

 

Manager access. (If the switch cannot find any designated TACACS+

 

servers, the local manager and operator username/password pairs are

 

always used as the secondary access control method.)

2-7

Page 34 Page 36
Image 35
Page 34 Page 36
Contents Access security guide Hp procurve Series 4100gl switches Page Access Security Guide HP Procurve Series 4100GL SwitchesPublication Number Contents Configuring the Switch for Radius Authentication Controlling Web Browser Interface Access WhenWhen Using Radius Authentication Controlling Web Browser Interface AccessFurther Information on SSH Client Public-Key Authentication Operating Rules for Authorized-Client General Setup Procedure forConfiguring Switch Ports To Operate As Supplicants for 802.1x Connections to Other SwitchesResetting Alert Flags Operating Notes for Port Security How RADIUS/802.1x Authentication Affects Vlan OperationPort Security Command Options and Operation Web Displaying and Configuring Port Security FeaturesDefining Authorized Management Stations Page Getting Started Contents Getting Started Overview of Access Security FeaturesIntroduction Xiii Simulating Display Output Command Syntax ConventionsCommand Prompts Screen Simulations Related PublicationsGetting Started Click on technical support Getting Documentation From the WebSources for More Information Main Menu of the Menu interface, select To Set Up and Install the Switch in Your NetworkRun Setup Need Only a Quick Start?Page Configuring Username and Password Security Level Actions Permitted Configuring Username and Password SecurityFeature Default Menu OverviewPasswords are case-sensitive Console Passwords Configuring Local Password SecurityMenu Setting Passwords To set a new passwordCommands Used in This Section CLI Setting Passwords and UsernamesContinue Deletion of password protection? No Configuring Manager and Operator PasswordsEnter Web Setting Passwords and UsernamesClick on Device Passwords Click on the Security tabUsing TACACS+ Authentication Messages Operating Notes TACACS+ AuthenticationExample of TACACS+ Operation TACACS+ AuthenticationTACACS+ Authentication Terminology Used in Tacacs Applications General System Requirements General Authentication Setup Procedure Determine the following Result in Operator read-only access. Thus, when configuringAdditional features that the application offers Always used as the secondary access control methodTelnet Before You Begin Configuring TACACS+ on the SwitchCLI Commands Described in this Section CommandThis example shows the default authentication configuration Viewing the Switch’s Current Authentication ConfigurationConfiguring the Switch’s Authentication Methods Method/privilege path. Available only if the primary method AAA Authentication ParametersName Default Range Function Authentication for the access being configured is localLogin Primary to Local authentication Primary/Secondary Authentication TableHPswitchconfig# aaa authentication num-attempts TACACS+ server Configuring the Switch’s TACACS+ Server AccessSyntax tacacs-server host ip-addr key key-string None Name Default RangeNone null Timeout 1To configure north01 as a per-server encryption key HPswitchconfig# no tacacs-server hostChanges without executing write mem How Authentication OperatesGeneral Authentication Process Using a TACACS+ Server TACACS+ Authentication Authentication Local Authentication ProcessUsing the Encryption Key HPswitchconfig# tacacs-server key north40campus CLI Message Meaning Tacacs-server configurationMessages Related to TACACS+ Operation Operating NotesRized persons Controlling Web Browser Interface Access When Using Radius Radius Authentication and AccountingRadius Authentication and Accounting Port-AccessTerminology Switch Operating Rules for Radius Preparation for Configuring Radius on the Switch General Radius Setup ProcedureRadius Authentication Commands Configuring the Switch for Radius AuthenticationOutline of the Steps for Configuring Radius Authentication Server IP address Used on the specified Radius server. Default nullConfigure the global Radius parameters Radius server documentationLocal none Authentication Process on Example Configuration for Radius AuthenticationConfiguring Radius Accounting instead of continuing here Configure the Switch To Access a Radius ServerRadius Authentication and Accounting Key global-key-string Configure the Switch’s Global Radius ParametersTo an authentication request before counting the attempt as Listings of Global Radius Parameters Configured In Figure Local Authentication ProcessWord pair for the level you want to enter On page 3-5 before continuing here Configuring Radius AccountingRadius Accounting Commands Operating Rules for Radius Accounting Steps for Configuring Radius Accounting Configure the Switch To Access a Radius Server Radius Authentication and Accounting Start-Stop Example of Configuring Accounting TypesUpdate period General Radius Statistics Viewing Radius StatisticsPendingRequests Term DefinitionRadius Authentication Statistics Radius Accounting Statistics 14. Listing the Accounting Configuration in the Switch17. Search Order for Accessing a Radius Server Changing RADIUS-Server Access Order18. Example of New Radius Server Search Order Message Meaning Messages Related to Radius OperationPage Configuring the Switch for SSH Operation Configuring Secure Shell SSHConfiguring Secure Shell SSH Client Public Key Authentication ModelDES 56-bit Use a key to authenticate itself to the switch3DES 168-bit Prerequisite for Using SSH SSH Options Public Key FormatsSsh enable radius Switch Primary SSH Authenticate Primary SwitchManager Ssh enable local Enable Ssh enable tacacsConfiguring Secure Shell SSH General Operating Rules and Notes SSH-Related Commands in This Section Configuring the Switch for SSH OperationExample of Configuring Local Passwords Generating the Switch’s Public and Private Key PairPair automatically disables SSH To the switch using the earlier pairCLI kill command Operation Providing the Switch’s Public Key to ClientsFor example, to generate and display a new key Example of a Public Key Generated by the Switch Inserted Bit Exponent Modulus Switch’s Public and Private Key Pair on To enable SSH on the switch On the switch by appearing to be you Version of SSH to accept connections from. default 1-or-2Option a Configuring SSH Access for Password-Only SSH Configuring the Switch for SSH AuthenticationU t i o n Configures 14 shows how to check the results of the above commands Use an SSH Client To Access the SwitchFurther Information on SSH Client Public-Key Authentication 15. Example of a Client Public Key Ascii Property Supported Comments ValueShow crypto client-public-key babble fingerprint Deletes the client-public-key file from the switch 00000K Peer unreachable Messages Related to SSH OperationKey for the switch Comments on certificate fields Assigning a Local Login OperatorConfiguring Secure Socket Layer SSL Server Certificate authentication with User PasswordRC4 40-bit, 128-bit 3DES 168-bit, 112 EffectiveGeneral steps for configuring ssl include Client Preparation Prerequisite for Using SSLProvided with your browser General Operating Rules and Notes SSL-Related CLI Commands in This Section Configuring the Switch for SSL OperationAssigning a Local Login Operator and Enable ManagerPassword Security Tab Password Button Earlier certificate Generating the Switch’s Server Host CertificateParticular switch/client session, and then discarded Verified unequivocallyCLI CLI commands used to generate a Server Host CertificateField Name Description Certificate Field DescriptionsFor example, to generate a key and a new host certificate For example, to display the new server host certificate CLI Command to view host certificatesHost-cert command Can resume SSL operationNew key then just select current from the list Installed certificateSelect the Generate Certificate button Iii Select Self signed certificate in the type boxConfiguring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Certificate Request Certificate Request Reply T e Execute no web-management ssl Zeroize the switch’s host certificate or certificate key .Enable SLL Port number Selection Error During Possible Cause Common Errors in SSL setupPage Messages Related to 802.1x Operation -47 General Setup Procedure for Port-Based Access ControlGeneral Operating Rules and Notes -9 802.1x on the Series 4100GL switches includes the following Why Use Port-Based Access Control?General Features Refer to Radius Authentication and Accounting onConfiguring Port-Based Access Control Authenticating One Switch to Another .1x authentication also How 802.1x Operates Authenticator OperationExample of Supplicant Operation Switch-Port Supplicant OperationTerminology 802.1x standard General Operating Rules and Notes Configuring Port-Based Access Control Do These Steps Before You Configure 802.1x Operation General Setup Procedure for Port-Based Access ControlAuthenticators operate as expected Overview Configuring 802.1x Authentication on SwitchConfiguring Port-Based Access Control 802.1x Authentication Commands Configuring Switch Ports as AuthenticatorsTo activate 802.1x authentication on the switch Enable 802.1x Authentication on Selected PortsTx-period 0 Clears authenticator statistics counters Chap-radius Configure the 802.1x Authentication MethodLocal Eap-radiusEnter the Radius Host IP Addresses Enable 802.1x Authentication on the SwitchIntroduction 802.1x-Related Show Commands Radius server configuration802.1x Open Vlan Mode Tagged Vlan as the Unauthorized-Client Vlan Use Models for 802.1x Open Vlan ModesPort as a static, tagged member of the VLAN, membership 802.1x Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Before you configure the 802.1x Open Vlan mode on a port Setting Up and Configuring 802.1x Open Vlan ModeMised by an unauthorized client Vlan Operation Activate authentication on the switchPort-Security To Allow Only 802.1x Devices on HPswitchconfig# aaa authentication port-access eap-radius 802.1x Open Vlan Operating Notes Action none send-alarm send-disable Enables 802.1x authentication on the port 802.1x Authentication Commands 802.1x Supplicant Commands Specified ports Authenticator at the same timeEnter secret password Repeat secret password Syntax aaa port-access supplicant ethernet port-listMax-start 1 Show Commands for Port-Access Authenticator Displaying 802.1x Configuration, Statistics, and CountersViewing 802.1x Open Vlan Mode Status Page To the port Open Vlan Mode StatusConfiguring Port-Based Access Control Switch reboots Show Commands for Port-Access SupplicantSupplicant port detects a different authenticator device How RADIUS/802.1x Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment 1x Operating Messages Messages Related to 802.1x OperationPage Retention of Static Addresses Basic OperationBlocking Unauthorized Traffic -3 Trunk Group Exclusion -4 Basic Operation Configuring and Monitoring Port SecurityBlocking Unauthorized Traffic Security Trunk Group ExclusionPlanning Port Security Acquires and maintains authorized addresses Port Security Command Options OperationPort Security Commands Used in This Section CommandsMac-address mac-addr Port Security ParametersMode Address address-limit integerClear- clear-intrusion-flag Retention of Static AddressesParameter Description Using the CLI To Display Port Security Settings Displaying Current Port Security SettingsConfiguring Port Security Configuring and Monitoring Port Security Example of Adding an Authorized Device to a Port Entry in the table on Command option removes unwanted devices MAC addresses fromDevice’s MAC address. For example Removing a Device From the Authorized List for a Port. ThisRemove 0c0090-123456 from the Authorized Address list To automatically become authorizedClick on Port Security Web Displaying and Configuring Port Security FeaturesReading Intrusion Alerts and Resetting Alert Flags Example of Multiple Intrusion Log Entries for the Same Port How the Intrusion Log OperatesIntrusion flag FlagsOperates as follows It detects11. Example of the Intrusion Log Display Type I Intrusion log to display the Intrusion LogList intrusion log content Intrusion Alert on port A1 Event Log lists port security intrusions as 14. Example of Port Status Screen After Alert Flags ResetOperating Notes for Port Security Configuring and Monitoring Port Security Page Building IP Masks Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager FeaturesOptions Access LevelsYou can configure Overview of IP Mask Operation Defining Authorized Management StationsFrom the console Main Menu, select Menu Viewing and Configuring IP Authorized ManagersSwitch Configuration IP Authorized Managers Building IP Masks onAuthorized IP Managers Commands Used in This Section CLI Viewing and Configuring Authorized IP ManagersIP Mask Configuring IP Authorized Managers for the SwitchClick on Authorized Addresses Web Configuring IP Authorized ManagersAddress of the authorized manager you want to delete Manager IP Configuring One Station Per Authorized Manager IP EntryBuilding IP Masks Authorized 227 125Using Authorized IP Managers IP Mask 255 249 125, or 127 can access the switchBuilding IP Masks Any value from 0 toAuthorized Additional Examples for Authorizing Multiple StationsResults Using Authorized IP Managers Page Index IndexSee port access control OpenSSH … 4-3,5-2 operating notes See SSH.­ proxy Web server … Quick start … SSL See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting Index Page 5990-3032
Related manuals
Manual 306 pages 15.53 Kb
Top Page Image Contents