Access Security Guide
Page
Access Security Guide
December
Publication Number
Contents
Terminology Operating Rules and Notes
Contents Overview Client Options General Features
Configuring the Switch To Access a Radius Server
Viewing the Switch’s Current Authentication Configuration
Configuring the Switch’s TACACS+ Server Access
General Authentication Process Using a TACACS+ Server
Messages Related to TACACS+ Operation Operating Notes
Configuring Secure Shell SSH
Local Authentication Process
Vii
Generate the Switch’s Server Host Certificate
Common Errors in SSL Setup
Configuring and Monitoring Port Security
Viii
Operating Notes for Port Security
Contents
Access Levels
Web Configuring IP Authorized Managers
About Your Switch Manual Set
Switch manual set includes the following
Feature Index
Feature
Configuration Management Guide
Xii
Product Documentation Feature
Xiii
Xiv
Tftp
Contents
Getting Started
Overview of Access Security Features
Access security features covered in this guide include
Introduction
Getting Started
Management Access Security Protection
Fabric than if you use only local passwords
General Switch Traffic Security Guidelines
Management Access Security Protection
Conventions
Feature Descriptions by Model
Command Syntax Statements
Port Identity Examples
Command Prompts
Screen Simulations
Sources for More Information
Getting Help in the Menu Interface
Run Setup
Need Only a Quick Start?
IP Addressing
Main Menu of the Menu interface, select
To Set Up and Install the Switch in Your Network
Interpreting LED behavior
This page is intentionally unused
Configuring Username and Password Security
Overview
Web browser interface
T e U t i o n
Configuring Local Password Security
Menu Setting Passwords
To set a new password
Console Passwords
Commands Used in This Section
CLI Setting Passwords and Usernames
Continue Deletion of password protection? No
Click on the Security tab
Web Setting Passwords and Usernames
Click on Device Passwords
When Security Is Important
Front-Panel Security
Clear Button
ResetClear
Front-Panel Button Functions
Press and hold the Reset button
Reset Button
Restoring the Factory Default Configuration
Configuring Front-Panel Security
ResetClear Self Test
Syntax show front-panel-security
Default Front-Panel Security Settings
Either form of the command enables password-clear
Changing the Operation of the Reset+Clear Combination
Example of Re-Enabling the Clear Button’s Default Operation
Password Recovery
Disabling or Re-Enabling the Password Recovery Process
Default configuration settings
Management access to the switch
Steps for Disabling Password-Recovery
No front-panel-security password-recovery
Password Recovery Process
11. Example of the Steps for Disabling Password-Recovery
This page is intentionally unused
Overview Client Options General Features
Overview
Radius server uses the device MAC address as the username
Lock a particular device to a specific switch and port
Client Options
General Features
Web-based Authentication
How Web and MAC Authentication Operate
Authenticator Operation
Progress Message During Authentication
MAC-based Authentication
How Web and MAC Authentication Operate
Terminology
Operating Rules and Notes
Management
Operating Rules and Notes
General Setup Procedure for Web/MAC Authentication
Do These Steps Before You Configure Web/MAC Authentication
General Setup Procedure for Web/MAC Authentication
Addresses
Aabbcc-ddeeff Aa-bb-cc-dd-ee-ff Aabbccddeeff
Configuring the Switch To Access a Radius Server
Radius Server Configuration Commands
Example of Configuring a Switch To Access a Radius Server
Configuring Web Authentication
Overview
Configure the Switch for Web-Based Authentication
Command Configuration Level
Syntax no aaa port-access web-based e port-list
Syntax aaa port-access web-based e port-list max-requests
Default 30 seconds
Configuring MAC Authentication on Switch
Configure the Switch for MAC-Based Authentication
Syntax
Default 30seconds
Show Status and Configuration Web-Based Authentication
Command
Show Status and Configuration of MAC-Based Authentication
Syntax show port-access port-list mac-based clients
Show Client Status
Timed out-unauth vlan
This page is intentionally unused
TACACS+ Authentication
TACACS+ Authentication
Example of TACACS+ Operation
Terminology Used in Tacacs Applications
TACACS+ Authentication
General Authentication Setup Procedure
General System Requirements
Using the Encryption Key on
Determine the following
TACACS+ Authentication
Before You Begin
Configuring TACACS+ on the Switch
Switch offers three command areas for TACACS+ operation
This example shows the default authentication configuration
CLI Commands Described in this Section
Viewing the Switch’s Current Authentication Configuration
Example of the Switch’s TACACS+ Configuration Listing
Configuring the Switch’s Authentication Methods
AAA Authentication Parameters
Name Default Range Function
Authentication for the access being configured is local
Method/privilege path. Available only if the primary method
Primary/Secondary Authentication Table
Login Primary to Local authentication
ProCurve config# aaa authentication num-attempts
Configuring the Switch’s TACACS+ Server Access
Switch or your TACACS+ server
Syntax tacacs-server host ip-addr key key-string
Details on Configuring Tacacs Servers and Keys
Name Default Range Tacacs-server host ip-addr None
Name Default Range Key key-string None null
Timeout 1
ProCurveconfig# no tacacs-server host
To configure north01 as a per-server encryption key
Changes without executing write mem
How Authentication Operates
General Authentication Process Using a TACACS+ Server
TACACS+ Authentication
Terminal must initiate a new session before trying again
Local Authentication Process
Authentication
General Operation
Using the Encryption Key
Encryption Options in the Switch
ProCurveconfig# tacacs-server key north40campus
Tacacs-server configuration
Messages Related to TACACS+ Operation
Operating Notes
CLI Message Meaning
TACACS+ Authentication
Radius Authentication and Accounting
Web Series 2600, 2600-PWR, and 2800 switches Port-Access
Radius Authentication and Accounting
Host See Radius Server
Switch Operating Rules for Radius
General Radius Setup Procedure
Preparation for Configuring Radius on the Switch
Configuring the Switch for Radius Authentication
Radius Authentication Commands
Outline of the Steps for Configuring Radius Authentication
Radius server documentation
Radius Authentication and Accounting
Example Configuration for Radius Authentication
Configure the Switch To Access a Radius Server
Configuring Radius Accounting instead of continuing here
Radius Authentication and Accounting
Configure the Switch’s Global Radius Parameters
T e
Radius Authentication and Accounting
Listings of Global Radius Parameters Configured In Figure
Local Authentication Process
Configuring Radius Accounting
Radius Accounting Commands
Access methods
Configured one or more Radius servers to support the switch
Under Port-Based Access Control
This section assumes you have already
Steps for Configuring Radius Accounting
Operating Rules for Radius Accounting
Configure the Switch To Access a Radius Server
Key key-string
Radius Authentication and Accounting
Start-Stop
Syntax no aaa accounting update periodic 1
Viewing Radius Statistics
General Radius Statistics
Values for Show Radius Host Output Figure
Term Definition
Radius Authentication Statistics
Syntax show authentication
14. Listing the Accounting Configuration in the Switch
Radius Accounting Statistics
Changing RADIUS-Server Access Order
17. Search Order for Accessing a Radius Server
18. Example of New Radius Server Search Order
Messages Related to Radius Operation
Message Meaning
This page is intentionally unused
Configuring Secure Shell SSH
Client Public Key Authentication Model
Configuring Secure Shell SSH
Use a key to authenticate itself to the switch
Using these algorithms unless otherwise noted
Terminology
Prerequisite for Using SSH
Public Key Formats
Primary SSH
Authentication
SSH Options
Configuring Secure Shell SSH
General Operating Rules and Notes
SSH-Related Commands in This Section
Configuring the Switch for SSH Operation
Assign Local Login Operator and Enable Manager Password
Generate the Switch’s Public and Private Key Pair
Example of Configuring Local Passwords
Pair automatically disables SSH
To the switch using the earlier pair
CLI kill command
Operation
Provide the Switch’s Public Key to Clients
For example, to generate and display a new key
Example of a Public Key Generated by the Switch
Inserted Bit Exponent e Modulus n
Switch’s Public and Private Key Pair on
To enable SSH on the switch
Always 896 bits
49, 80, 1506,
Configure the Switch for SSH Authentication
U t i o n T e
Option B Configuring the Switch for Client Public-Key SSH
Copies a public key file into the switch
Further Information on SSH Client Public-Key Authentication
Use an SSH Client To Access the Switch
Configuring Secure Shell SSH
14. Example of a Client Public Key
Property Supported Comments Value
Ascii
Deletes the client-public-key file from the switch
U t i o n
Messages Related to SSH Operation
00000K Peer unreachable
Generating new RSA host key. If
Configuring Secure Socket Layer SSL
Steps for Configuring and Using SSL for Switch
Server Certificate authentication with User Password
Configuring Secure Socket Layer SSL
Otherwise noted
3DES 168-bit, 112 Effective
RC4 40-bit, 128-bit
Configuring Secure Socket Layer SSL
Prerequisite for Using SSL
General Operating Rules and Notes
Configuring the Switch for SSL Operation
SSL-Related CLI Commands in This Section
Security Tab Password Button
Generate the Switch’s Server Host Certificate
Particular switch/client session, and then discarded
Verified unequivocally
Earlier certificate
To Generate or Erase the Switch’s Server Certificate with
CLI
Comments on Certificate Fields
Certificate Field Descriptions
For example, to generate a key and a new host certificate
Field Name Description
Can resume SSL operation
For example, to display the new server host certificate
Configuring Secure Socket Layer SSL
Configuring Secure Socket Layer SSL
Web browser Interface showing current SSL Host Certificate
Configuring Secure Socket Layer SSL
Example of a Certificate Request and Reply
T e
Using the CLI interface to enable SSL
Using the web browser interface to enable SSL
Zeroize the switch’s host certificate or certificate key.
Execute no web-management ssl
Enable SLL Port number Selection
Common Errors in SSL Setup
Error During Possible Cause
This page is intentionally unused
Configuring Port-Based Access Control
Operating Rules for Authorized-Client
Configuring Port-Based Access Control
Why Use Port-Based Access Control?
Configuring Port-Based Access Control
Example of an 802.1X Application
How 802.1X Operates
Switch-Port Supplicant Operation
Example of Supplicant Operation
Authenticator at the same time
802.1X standard
General Operating Rules and Notes
Configuring Port-Based Access Control
General Setup Procedure for Port-Based Access Control
Do These Steps Before You Configure 802.1X Operation
Overview Configuring 802.1X Authentication on Switch
Authenticators operate as expected
Configuring Port-Based Access Control
802.1X Authentication Commands
Configuring Switch Ports as 802.1X Authenticators
Enable 802.1X Authentication on Selected Ports
Quiet-period 0
Max-requests 1
Clears authenticator statistics counters
Configure the 802.1X Authentication Method
Example of 802.1X Port-Access Authentication
Enable 802.1X Authentication on the Switch
Enter the Radius Host IP Addresses
Introduction
802.1X Open Vlan Mode
802.1X-Related Show Commands Radius server configuration
Use Models for 802.1X Open Vlan Modes
Membership in the Vlan
1X Open Vlan Mode Options
802.1X Open Vlan Mode
802.1X Per-Port Configuration Port Response
Condition Rule
Multiple Authenticator Ports Using
Setting Up and Configuring 802.1X Open Vlan Mode
Before you configure the 802.1X Open Vlan mode on a port
Mised by an unauthorized client
Vlan Operation
Activate authentication on the switch
Port-Security To Allow Only 802.1X Devices on
ProCurveconfig# aaa authentication port-access eap-radius
802.1X Open Vlan Operating Notes
ProCurveconfig# aaa port-access authenticator e A10
Enables 802.1X authentication on the port
802.1X Authentication Commands 802.1X Supplicant Commands
Default supplicant parameters or any previously configured
Syntax aaa port-access supplicant ethernet port-list
Enter secret password Repeat secret password
Max-start 1
Displaying 802.1X Configuration Statistics, and Counters
Show Commands for Port-Access Authenticator
Show port-access authenticator Syntax Config e port-list
Viewing 802.1X Open Vlan Mode Status
Open Vlan Mode Status
802.1X authentication
Access Control
Authenticator
No Pvid The port is not an untagged member of any Vlan
Status Indicator Meaning
Current Vlan ID
Switch reboots
Show Commands for Port-Access Supplicant
Supplicant port detects a different authenticator device
How RADIUS/802.1X Authentication Affects Vlan Operation
Example of an Active Vlan Configuration
Otherwise, port A2 is not listed
Assignment
Messages Related to 802.1X Operation
1X Operating Messages
Configuring and Monitoring Port Security
Cast traffic
Configuring and Monitoring Port Security
Basic Operation
Blocking Unauthorized Traffic
Physical Topology Logical Topology for Access to Switch a
Switch B
Switch a
Switch C
Planning Port Security
Port Security Command Options Operation
Port Security Commands Used in This Section
Commands
Acquires and maintains authorized addresses
080090-1362f2
00f031-423fc1 4 b0-880a80 the authorized address
Address-limit integer
Clear-intrusion-flag
Displaying Current Port Security Settings
Retention of Static MAC Addresses
Learned MAC Addresses
Assigned/Authorized MAC Addresses
Using the CLI To Display Port Security Settings
Configuring Port Security
Specifying Authorized Devices and Intrusion Responses
Adding a MAC Address to an Existing Port List
Example of Adding an Authorized Device to a Port
Example of Adding a Second Authorized Device to a Port
Device’s MAC address. For example
See the MAC Address entry in the table on
Address configuration. Refer to the Note on
Remove 0c0090-123456 from the Authorized Address list
MAC Lockdown
Example of Port A1 After Removing One MAC Address
Configuring and Monitoring Port Security
Differences Between MAC Lockdown and Port Security
MAC Lockdown Operating Notes
Deploying MAC Lockdown
MAC Lockdown Deployed At the Network Edge Provides Security
Inside the Core Network as well, not just on the edge
Edge switches
Address and stealing data
External Network X e d U s e r s
MAC Lockout
11. Listing Locked Down Ports
Configuring and Monitoring Port Security
Port Security and MAC Lockout
12. Listing Locked Out Ports
Using the IP Lockdown Command
IP lockdown command operates as follows
IP Lockdown
Operating Rules for IP Lockdown
Web Displaying and Configuring Port Security Features
Reading Intrusion Alerts and Resetting Alert Flags
Log command displays the Event Log
Click on Port Security
How the Intrusion Log Operates
Resetting Alert Flags
Flags
As follows
It detects
Type I Intrusion log to display the Intrusion Log
15. Example of the Intrusion Log Display
Configuring and Monitoring Port Security
List intrusion log content
18. Example of Port Status Screen After Alert Flags Reset
Using the Event Log To Find Intrusion Alerts
Event Log lists port security intrusions as
Operating Notes for Port Security
Configuring and Monitoring Port Security
ProCurve Series 2600/2600-PWR and 2800 Switches
Traffic/Security Filters
10-2
Filter for the Actions Shown in Figure
10-3
Using Source-Port Filters
Operating Rules for Source-Port Filters
Configuring a Source-Port Filter
10-5
ProCurveconfig# filter source-port trk1 drop trk2,10-15
10-6
Source Port Destination Action Ports
Viewing a Source-Port Filter
10-7
Filter Indexing
10-8
Editing a Source-Port Filter
10-9
Using Named Source-Port Filters
Defining and Configuring Named Source-Port Filters
Operating Rules for Named Source-Port Filters
10-10
10-11
10-12
Sample Configuration for Named Source-Port Filters
Viewing a Named Source-Port Filter
Applying Example Named Source-Port Filters
10-14
Source Port
10-15
10-16
10-17
10-18
Using Authorized IP Managers
Operating Notes 11-1
Authorized IP Manager Features
Using Authorized IP Managers
You can configure
Access Levels
Configuration Options
11-4
Defining Authorized Management Stations
Overview of IP Mask Operation
Menu Viewing and Configuring IP Authorized Managers
Switch Configuration … IP Authorized Managers
From the console Main Menu, select
11-5
Authorized IP Managers Commands Used in This Section
CLI Viewing and Configuring Authorized IP Managers
Listing the Switch’s Current Authorized IP Managers
IP Mask
Configuring IP Authorized Managers for the Switch
11-7
Address of the authorized manager you want to delete
11-8
Web Configuring IP Authorized Managers
Configuring One Station Per Authorized Manager IP Entry
Building IP Masks
Analysis of IP Mask for Single-Station Entries
11-10
Any value from 0 to
Additional Examples for Authorizing Multiple Stations
11-11
Operating Notes
Index
Index
See RADIUS. message
See SSH. proxy Web server … Quick start …
Show accounting … 5-28 show authentication …
See RADIUS. troubleshooting
Vlan
This page is intentionally unused
December