HP 2600-PWR, 2626 (J4900A/B), 2650 (J4899A/B), 4100, 4100gl, 6108 802.1X Open VLAN Mode

Configuring Port-Based Access Control (802.1X)

802.1X Open VLAN Mode

802.1X Open VLAN Mode

802.1X Authentication Commands	page 8-15
802.1X Supplicant Commands	page 8-35
802.1X Open VLAN Mode Commands
[no] aaa port-access authenticator [e] < port-list>	page 8-30
[auth-vid < vlan-id>]
[unauth-vid < vlan-id>]
802.1X-Related Show Commands	page 8-38
RADIUS server configuration	pages 8-20

This section describes how to use the 802.1X Open VLAN mode to configure unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators.

Introduction

Configuring the 802.1X Open VLAN mode on a port changes how the port responds when it detects a new client. In earlier releases, a “friendly” client computer not running 802.1X supplicant software could not be authenticated on a port protected by 802.1X access security. As a result, the port would become blocked and the client could not access the network. This prevented the client from:

■Acquiring IP addressing from a DHCP server

■Downloading the 802.1X supplicant software necessary for an authen- tication session

The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static, tagged and untagged VLAN memberships and placing the port in a designated Unauthorized-Client VLAN. In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X software, and starting the authentication process. Following client authentication, the port drops its temporary (untagged) membership in the Unauthorized-Client VLAN and joins (or rejoins) one of the following as an untagged member:

8-21

Contents

ProCurve Switches Access Security Guide Page ProCurve Switch 2600 Series Switch 2600-PWRSeries Switch 2800 Series Switch 4100gl Series Page Contents Product Documentation 1 Getting Started 2 Configuring Username and Password Security 3Web and MAC Authentication for the Series 2600/ 2600-PWRand 2800 Switches 4 TACACS+ Authentication 5 RADIUS Authentication and Accounting 6 Configuring Secure Shell (SSH) 7 Configuring Secure Socket Layer (SSL) 8 Configuring Port-BasedAccess Control (802.1X) 9 Configuring and Monitoring Port Security 10Traffic/Security Filters (ProCurve Series 2600/2600-PWRand 2800 Switches) 11 Using Authorized IP Managers Page Product Documentation Feature Index Page Page Getting Started Introduction http://www.procurve.com Overview of Access Security Features TACACS+ Authentication RADIUS Authentication and Accounting Port-Based Traffic/Security Filters Authorized IP Managers Table 1-1.Management Access Security Protection Conventions bold italics Series 2600/2600-PWR and 2800 Switches hostname Figure 1-1.Example of a Figure Showing a Simulated Screen Sources for More Information http://www.procurve.com Technical support Product manuals Figure 1-2.Getting Help in the Menu Interface Need Only a Quick Start setup 8.Run Setup Important Page Configuring Username and Password Security Page Caution Inactivity Time Configuring Local Password Security Figure 2-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Yes Configuring Manager and Operator Passwords Figure 2-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface Front-PanelSecurity Figure 2-4.Example Front-PanelButton Locations Figure 2-5.Press the Clear Button for One Second To Reset the Password(s) Figure 2-6.Press and hold the Reset Button for One Second To Reboot the Switch front-panel-security Clear Password: Disabled Password Recovery: CAUTION: Figure 2-7.The Default Front-PanelSecurity Settings reset-on-clear Disabled password-clear Figure 2-9.Example of Re-Enablingthe Clear Button’s Default Operation Default: Notes: Figure 2-10.Example of Disabling the Factory Reset Option C a u t i o n Note: To disable password-recovery: Steps for Disabling Password-Recovery factory- reset no front-panel-security password-recovery CAUTION Figure 2-11.Example of the Steps for Disabling Password-Recovery N o t e Page Web and MAC Authentication for the Series 2600/2600-PWRand 2800 Switches Applicable Switch Models Web Authentication (Web-Auth) Page Page How Web and MAC Authentication Operate Figure 3-1.Example of User Login Screen dhcp-addr dhcp-lease port-access Figure 3-2.Progress Message During Authentication client-limit redirect-url Figure 3-3.Authentication Completed client-moves unauth- vid addr-format addr-limit reauth-period reauthenticate logoff-period addr-moves server-timeout Authorized-Client Authentication Server: CHAP: Client: Redirect URL: Operating Rules and Notes Note on Port Access Management Page Note on Web MAC Authentication and LACP General Setup Procedure for Web/MAC Authentication Page aabbccddeeff aabbcc-ddeeff aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff Note on MAC Configuring the Switch To Access a RADIUS Server Figure 3-4.Example of Configuring a Switch To Access a RADIUS Server Configuring Web Authentication ping Page Page Page Page Configuring MAC Authentication on the Switch no-delimiter single-dash multi-dash multi-colon Page Page Show Status and Configuration of Web-BasedAuthentication Show Status and Configuration of MAC-BasedAuthentication Page Show Client Status show... clients’ Page TACACS+ Authentication A3 or A2 or Figure 4-1.Example of TACACS+ Operation Notes Terminology Used in TACACS Applications: Authentication: Page General System Requirements General Authentication Setup Procedure Page Note on Privilege Levels telnet login telnet enable write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Syntax Figure 4-2.Example Listing of the Switch’s Authentication Configuration Syntax: paris-1 show tacacs Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing radius Table 4-1.AAA Authentication Parameters Table 4-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Page The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Table 4-3.Details on Configuring TACACS Servers and Keys Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 4-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key How Authentication Operates Figure 4-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Operating Notes Page RADIUS Authentication and Accounting Page Host: See RADIUS Server NAS (Network Access Server): RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Preparation: Table 5-1.Preparation for Configuring RADIUS on the Switch Figure 5-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Page Page Local Authentication Process Controlling Web Browser Interface Access When Using RADIUS Authentication Configuring RADIUS Accounting Network accounting: System accounting: Page key key-string Accounting types: Trigger for sending accounting reports to a RADIUS server: Updating: Page Exec: exec System: system system ■Start-Stop: start-stop ■Stop-Only: stop-only Figure 5-8.Example of Configuring Accounting Types Updates: Suppress: Viewing RADIUS Statistics Figure 5-11.RADIUS Server Information From the Show Radius Host Command Table 5-2.Values for Show Radius Host Output (Figure 5-11) Figure 5-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 5-13.Example of RADIUS Authentication Information from a Specific Server Figure 5-14.Listing the Accounting Configuration in the Switch Figure 5-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 5-17.Search Order for Accessing a RADIUS Server Figure 5-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 6-1.Client Public Key Authentication Model http://www.openssh.com Figure 6-2.Switch/User Authentication SSH Server: Key Pair: PEM (Privacy Enhanced Mode): Private Key: Enable Level: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication Table SSH Options login public- key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page aaa authentication ssh Figure 6-14.Example of a Client Public Key Note on Public Keys smith@fellow fingerprint clear crypto public-key Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http://www.openssl.com Server Certificate authentication with User Password Authentication Figure 7-1.Switch/User Authentication SSL Server: Manager Level: Operator Level: SSL Enabled: crypto key generate cert [key size] crypto Prerequisite for Using SSL Steps for Configuring and Using SSL for Switch and Client Authentication Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL Setup Page Configuring Port-BasedAccess Control (802.1X) Page Page Page Figure 8-1.Example of an 802.1X Application How 802.1X Operates Figure 8-2.Example of Supplicant Operation Authenticator: CHAP (MD5): EAP EAPOL: Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1X cannot be run together Note on and LACP General Setup Procedure for Port-Based Access Control (802.1X) eap-radius chap-radius radius host Page Configuring Switch Ports as 802.1X Authenticators authorized: unauthorized: max-requests (Syntax Continued) control auto Figure 8-3.Example of 802.1X (Port-Access)Authentication Page 802.1X Open VLAN Mode 1st Priority: 2nd Priority: Table 8-1.802.1X Open VLAN Mode Options 802.1X Per-PortConfiguration Port Response both Only Unauthorized-Client VLAN Authorized-Client Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1X Devices Note on Blocking a Non- 802.1X Device control authorized authorized Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Figure 8-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1X Configuration Statistics, and Counters supplicant Figure 8-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 8-2.Open VLAN Mode Status Figure 8-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode secret Connecting supplicant statistics [e] How RADIUS/802.1X Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 8-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1X Operation Table 8-3.802.1X Operating Messages Configuring and Monitoring Port Security Default Port Security Operation continuous Intruder Protection Authorized (MAC) Addresses: Figure 9-1.Example of How Port Security Controls Access Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Page Page MAC Lockdown How It Works Other Useful Information Page Limits Event Log Messages Page Figure 9-9.MAC Lockdown Deployed At the Network Edge Provides Security Page Figure 9-10.Connectivity Problems Using MAC Lockdown with Multiple Paths Displaying status running-config static-mac Figure 9-11.Listing Locked Down Ports MAC Lockout lockout-mac Figure 9-12.Listing Locked Out Ports IP Lockdown (eth-1)# Web: Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 9-13.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 9-14.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 9-15.Example of the Intrusion Log Display prior to Page Figure 9-18.Example of Port Status Screen After Alert Flags Reset Page Operating Notes for Port Security Page Traffic/Security Filters General Operation Figure 10-1.Example of a Filter Blocking Traffic only from Port 5 to Server "A Figure 10-2.The Filter for the Actions Shown in Figure Using Source-PortFilters trk1 trk2 trk6 Trk1 show filter index Figure 10-3.Example of Switch Response to Adding a Filtered Source Port to a Trunk Page Figure 10-4.Example of Listing Filters and the Details of a Specific Filter filter source-port Figure 10-5.Assigning Additional Destination Ports to an Existing Filter no filter named-filter <filter-name web-only accounting drop Figure 6. Network Configuration for Named Source-PortFilters Example Applying Example Named Source-PortFilters Page IDX Value Figure 10-7.Expanded Network Configuration for Named Source-PortFilters Example Action Page Using Authorized IP Managers Authorized IP Manager Features Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration … 7.IP Authorized Managers Figure 11-1.Example of How To Add an Authorized Manager Entry Figure 11-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Figure 11-3.Example of the Show IP Authorized-ManagerDisplay To Delete an Authorized Manager Entry. This command uses the IP Web: Configuring IP Authorized Managers Building IP Masks Table 11-1.Analysis of IP Mask for Single-StationEntries Figure 11-5.Analysis of IP Mask for Multiple-StationEntries Page Duplicate IP Addresses: Web Proxy Servers: Numerics