HP 2600-PWR, 2626 (J4900A/B), 2650 (J4899A/B), 4100, 4100gl, 6108 158

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

Enabling Client Public-Key Authentication. After you TFTP a client- public-key file into the switch (described above), you can configure the switch to allow one of the following:

■ If an SSH client’s public key matches the switch’s client-public-key file, allow that client access to the switch. If there is not a public-key match, then deny access to that client.

■ If an SSH client’s public key does not have a match in the switch’s client-public-key file, allow the client access if the user can enter the switch’s login (Operator) password. (If the switch does not have an Operator password, then deny access to that client.

Syntax: aaa authentication ssh login public-key none

Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the client- public-key file most recently copied into the switch.

aaa authentication ssh login public-key local

	Allows SSH client access if there is a public key match (see
	above) or if the client’s user enters the switch’s login (Oper-
	ator) password.
	With login public-key local configured, if the switch does not have an Operator-
	level password, it blocks client public-key access to SSH clients whose private
	keys do not match a public key in the switch’s client-public-key file.

Caution	To enable client public-key authentication to block SSH clients whose public
	keys are not in the client-public-key file copied into the switch, you must
	configure the Login Secondary as none. Otherwise, the switch allows such
	clients to attempt access using the switch’s Operator password.

6-26

Contents

ProCurve Switches Access Security Guide Page ProCurve Switch 2600 Series Switch 2600-PWRSeries Switch 2800 Series Switch 4100gl Series Page Contents Product Documentation 1 Getting Started 2 Configuring Username and Password Security 3Web and MAC Authentication for the Series 2600/ 2600-PWRand 2800 Switches 4 TACACS+ Authentication 5 RADIUS Authentication and Accounting 6 Configuring Secure Shell (SSH) 7 Configuring Secure Socket Layer (SSL) 8 Configuring Port-BasedAccess Control (802.1X) 9 Configuring and Monitoring Port Security 10Traffic/Security Filters (ProCurve Series 2600/2600-PWRand 2800 Switches) 11 Using Authorized IP Managers Page Product Documentation Feature Index Page Page Getting Started Introduction http://www.procurve.com Overview of Access Security Features TACACS+ Authentication RADIUS Authentication and Accounting Port-Based Traffic/Security Filters Authorized IP Managers Table 1-1.Management Access Security Protection Conventions bold italics Series 2600/2600-PWR and 2800 Switches hostname Figure 1-1.Example of a Figure Showing a Simulated Screen Sources for More Information http://www.procurve.com Technical support Product manuals Figure 1-2.Getting Help in the Menu Interface Need Only a Quick Start setup 8.Run Setup Important Page Configuring Username and Password Security Page Caution Inactivity Time Configuring Local Password Security Figure 2-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Yes Configuring Manager and Operator Passwords Figure 2-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface Front-PanelSecurity Figure 2-4.Example Front-PanelButton Locations Figure 2-5.Press the Clear Button for One Second To Reset the Password(s) Figure 2-6.Press and hold the Reset Button for One Second To Reboot the Switch front-panel-security Clear Password: Disabled Password Recovery: CAUTION: Figure 2-7.The Default Front-PanelSecurity Settings reset-on-clear Disabled password-clear Figure 2-9.Example of Re-Enablingthe Clear Button’s Default Operation Default: Notes: Figure 2-10.Example of Disabling the Factory Reset Option C a u t i o n Note: To disable password-recovery: Steps for Disabling Password-Recovery factory- reset no front-panel-security password-recovery CAUTION Figure 2-11.Example of the Steps for Disabling Password-Recovery N o t e Page Web and MAC Authentication for the Series 2600/2600-PWRand 2800 Switches Applicable Switch Models Web Authentication (Web-Auth) Page Page How Web and MAC Authentication Operate Figure 3-1.Example of User Login Screen dhcp-addr dhcp-lease port-access Figure 3-2.Progress Message During Authentication client-limit redirect-url Figure 3-3.Authentication Completed client-moves unauth- vid addr-format addr-limit reauth-period reauthenticate logoff-period addr-moves server-timeout Authorized-Client Authentication Server: CHAP: Client: Redirect URL: Operating Rules and Notes Note on Port Access Management Page Note on Web MAC Authentication and LACP General Setup Procedure for Web/MAC Authentication Page aabbccddeeff aabbcc-ddeeff aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff Note on MAC Configuring the Switch To Access a RADIUS Server Figure 3-4.Example of Configuring a Switch To Access a RADIUS Server Configuring Web Authentication ping Page Page Page Page Configuring MAC Authentication on the Switch no-delimiter single-dash multi-dash multi-colon Page Page Show Status and Configuration of Web-BasedAuthentication Show Status and Configuration of MAC-BasedAuthentication Page Show Client Status show... clients’ Page TACACS+ Authentication A3 or A2 or Figure 4-1.Example of TACACS+ Operation Notes Terminology Used in TACACS Applications: Authentication: Page General System Requirements General Authentication Setup Procedure Page Note on Privilege Levels telnet login telnet enable write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Syntax Figure 4-2.Example Listing of the Switch’s Authentication Configuration Syntax: paris-1 show tacacs Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing radius Table 4-1.AAA Authentication Parameters Table 4-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Page The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Table 4-3.Details on Configuring TACACS Servers and Keys Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 4-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key How Authentication Operates Figure 4-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Operating Notes Page RADIUS Authentication and Accounting Page Host: See RADIUS Server NAS (Network Access Server): RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Preparation: Table 5-1.Preparation for Configuring RADIUS on the Switch Figure 5-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Page Page Local Authentication Process Controlling Web Browser Interface Access When Using RADIUS Authentication Configuring RADIUS Accounting Network accounting: System accounting: Page key key-string Accounting types: Trigger for sending accounting reports to a RADIUS server: Updating: Page Exec: exec System: system system ■Start-Stop: start-stop ■Stop-Only: stop-only Figure 5-8.Example of Configuring Accounting Types Updates: Suppress: Viewing RADIUS Statistics Figure 5-11.RADIUS Server Information From the Show Radius Host Command Table 5-2.Values for Show Radius Host Output (Figure 5-11) Figure 5-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 5-13.Example of RADIUS Authentication Information from a Specific Server Figure 5-14.Listing the Accounting Configuration in the Switch Figure 5-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 5-17.Search Order for Accessing a RADIUS Server Figure 5-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 6-1.Client Public Key Authentication Model http://www.openssh.com Figure 6-2.Switch/User Authentication SSH Server: Key Pair: PEM (Privacy Enhanced Mode): Private Key: Enable Level: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication Table SSH Options login public- key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page aaa authentication ssh Figure 6-14.Example of a Client Public Key Note on Public Keys smith@fellow fingerprint clear crypto public-key Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http://www.openssl.com Server Certificate authentication with User Password Authentication Figure 7-1.Switch/User Authentication SSL Server: Manager Level: Operator Level: SSL Enabled: crypto key generate cert [key size] crypto Prerequisite for Using SSL Steps for Configuring and Using SSL for Switch and Client Authentication Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL Setup Page Configuring Port-BasedAccess Control (802.1X) Page Page Page Figure 8-1.Example of an 802.1X Application How 802.1X Operates Figure 8-2.Example of Supplicant Operation Authenticator: CHAP (MD5): EAP EAPOL: Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1X cannot be run together Note on and LACP General Setup Procedure for Port-Based Access Control (802.1X) eap-radius chap-radius radius host Page Configuring Switch Ports as 802.1X Authenticators authorized: unauthorized: max-requests (Syntax Continued) control auto Figure 8-3.Example of 802.1X (Port-Access)Authentication Page 802.1X Open VLAN Mode 1st Priority: 2nd Priority: Table 8-1.802.1X Open VLAN Mode Options 802.1X Per-PortConfiguration Port Response both Only Unauthorized-Client VLAN Authorized-Client Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1X Devices Note on Blocking a Non- 802.1X Device control authorized authorized Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Figure 8-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1X Configuration Statistics, and Counters supplicant Figure 8-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 8-2.Open VLAN Mode Status Figure 8-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode secret Connecting supplicant statistics [e] How RADIUS/802.1X Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 8-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1X Operation Table 8-3.802.1X Operating Messages Configuring and Monitoring Port Security Default Port Security Operation continuous Intruder Protection Authorized (MAC) Addresses: Figure 9-1.Example of How Port Security Controls Access Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Page Page MAC Lockdown How It Works Other Useful Information Page Limits Event Log Messages Page Figure 9-9.MAC Lockdown Deployed At the Network Edge Provides Security Page Figure 9-10.Connectivity Problems Using MAC Lockdown with Multiple Paths Displaying status running-config static-mac Figure 9-11.Listing Locked Down Ports MAC Lockout lockout-mac Figure 9-12.Listing Locked Out Ports IP Lockdown (eth-1)# Web: Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 9-13.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 9-14.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 9-15.Example of the Intrusion Log Display prior to Page Figure 9-18.Example of Port Status Screen After Alert Flags Reset Page Operating Notes for Port Security Page Traffic/Security Filters General Operation Figure 10-1.Example of a Filter Blocking Traffic only from Port 5 to Server "A Figure 10-2.The Filter for the Actions Shown in Figure Using Source-PortFilters trk1 trk2 trk6 Trk1 show filter index Figure 10-3.Example of Switch Response to Adding a Filtered Source Port to a Trunk Page Figure 10-4.Example of Listing Filters and the Details of a Specific Filter filter source-port Figure 10-5.Assigning Additional Destination Ports to an Existing Filter no filter named-filter <filter-name web-only accounting drop Figure 6. Network Configuration for Named Source-PortFilters Example Applying Example Named Source-PortFilters Page IDX Value Figure 10-7.Expanded Network Configuration for Named Source-PortFilters Example Action Page Using Authorized IP Managers Authorized IP Manager Features Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration … 7.IP Authorized Managers Figure 11-1.Example of How To Add an Authorized Manager Entry Figure 11-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Figure 11-3.Example of the Show IP Authorized-ManagerDisplay To Delete an Authorized Manager Entry. This command uses the IP Web: Configuring IP Authorized Managers Building IP Masks Table 11-1.Analysis of IP Mask for Single-StationEntries Figure 11-5.Analysis of IP Mask for Multiple-StationEntries Page Duplicate IP Addresses: Web Proxy Servers: Numerics