Configuring and Monitoring Port Security | HP 6108, 4100gl, 2600-PWR

Configuring and Monitoring Port Security

MAC Lockout

Lockout command (lockout-mac<mac-address>). When the wireless clients then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network.

If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don’t have to configure every single port—just perform the command on the switch and it is effective for all ports.

MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti- cation.

You cannot use MAC Lockout to lock:

•Broadcast or Multicast Addresses (Switches do not learn these)

•Switch Agents (The switch’s own MAC Address)

If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file:

Lockout logging format:

W10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15

W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected on port A15

W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out logs for 5m

As with MAC Lockdown a rate limiting algorithm is used on the log file so that it does not become overclogged with error messages. (Refer to “Limiting the Frequency of Log Messages” on page 9-20.)

Displaying status. Locked out ports are listed in the output of the show running-configcommand in the CLI. The show lockout-maccommand also lists the locked out MAC addresses, as shown below.

9-26

Image 256

HP 6108, 4100gl, 2650 (J4899A/B), 2626 (J4900A/B), 2600-PWR manual Configuring and Monitoring Port Security

Contents

Access Security Guide Page Access Security Guide December Publication Number Contents Configuring the Switch To Access a Radius Server Contents Overview Client Options General FeaturesTerminology Operating Rules and Notes Viewing the Switch’s Current Authentication Configuration Configuring the Switch’s TACACS+ Server AccessGeneral Authentication Process Using a TACACS+ Server Messages Related to TACACS+ Operation Operating Notes Configuring Secure Shell SSH Local Authentication Process Common Errors in SSL Setup Generate the Switch’s Server Host CertificateVii Configuring and Monitoring Port Security Viii Access Levels ContentsOperating Notes for Port Security Web Configuring IP Authorized Managers About Your Switch Manual Set Switch manual set includes the following Feature Index FeatureConfiguration Management Guide Xii Product Documentation Feature Xiii Xiv Tftp Contents Getting Started Overview of Access Security Features Access security features covered in this guide includeIntroduction Getting Started Management Access Security Protection Fabric than if you use only local passwords General Switch Traffic Security Guidelines Management Access Security Protection Command Syntax Statements Feature Descriptions by ModelConventions Screen Simulations Command PromptsPort Identity Examples Sources for More Information Getting Help in the Menu Interface Run Setup Need Only a Quick Start?IP Addressing Main Menu of the Menu interface, select To Set Up and Install the Switch in Your Network Interpreting LED behavior This page is intentionally unused Configuring Username and Password Security Overview Web browser interface T e U t i o n Configuring Local Password Security Menu Setting PasswordsTo set a new password Console Passwords Continue Deletion of password protection? No CLI Setting Passwords and UsernamesCommands Used in This Section Click on Device Passwords Web Setting Passwords and UsernamesClick on the Security tab When Security Is Important Front-Panel Security Front-Panel Button Functions ResetClearClear Button Restoring the Factory Default Configuration Reset ButtonPress and hold the Reset button Configuring Front-Panel Security ResetClear Self Test Syntax show front-panel-security Default Front-Panel Security Settings Either form of the command enables password-clear Changing the Operation of the Reset+Clear Combination Example of Re-Enabling the Clear Button’s Default Operation Password Recovery Disabling or Re-Enabling the Password Recovery ProcessDefault configuration settings Management access to the switch Steps for Disabling Password-Recovery No front-panel-security password-recovery Password Recovery Process 11. Example of the Steps for Disabling Password-Recovery This page is intentionally unused Overview Client Options General Features Overview Client Options Lock a particular device to a specific switch and portRadius server uses the device MAC address as the username General Features Authenticator Operation How Web and MAC Authentication OperateWeb-based Authentication Progress Message During Authentication MAC-based Authentication How Web and MAC Authentication Operate Terminology Operating Rules and Notes Management Operating Rules and Notes General Setup Procedure for Web/MAC Authentication Do These Steps Before You Configure Web/MAC Authentication General Setup Procedure for Web/MAC Authentication Addresses Aabbcc-ddeeff Aa-bb-cc-dd-ee-ff Aabbccddeeff Configuring the Switch To Access a Radius Server Radius Server Configuration Commands Example of Configuring a Switch To Access a Radius Server Configuring Web Authentication Overview Configure the Switch for Web-Based Authentication Command Configuration Level Syntax no aaa port-access web-based e port-list Syntax aaa port-access web-based e port-list max-requests Default 30 seconds Configuring MAC Authentication on Switch Configure the Switch for MAC-Based Authentication Syntax Default 30seconds Show Status and Configuration Web-Based Authentication Command Show Status and Configuration of MAC-Based Authentication Syntax show port-access port-list mac-based clients Show Client Status Timed out-unauth vlan This page is intentionally unused TACACS+ Authentication TACACS+ Authentication Example of TACACS+ Operation Terminology Used in Tacacs Applications TACACS+ Authentication General Authentication Setup Procedure General System Requirements Using the Encryption Key on Determine the following TACACS+ Authentication Switch offers three command areas for TACACS+ operation Configuring TACACS+ on the SwitchBefore You Begin Viewing the Switch’s Current Authentication Configuration CLI Commands Described in this SectionThis example shows the default authentication configuration Example of the Switch’s TACACS+ Configuration Listing Configuring the Switch’s Authentication Methods AAA Authentication Parameters Name Default Range FunctionAuthentication for the access being configured is local Method/privilege path. Available only if the primary method Primary/Secondary Authentication Table Login Primary to Local authentication ProCurve config# aaa authentication num-attempts Configuring the Switch’s TACACS+ Server Access Switch or your TACACS+ server Syntax tacacs-server host ip-addr key key-string Details on Configuring Tacacs Servers and Keys Name Default Range Tacacs-server host ip-addr None Name Default Range Key key-string None null Timeout 1 ProCurveconfig# no tacacs-server host To configure north01 as a per-server encryption key General Authentication Process Using a TACACS+ Server How Authentication OperatesChanges without executing write mem TACACS+ Authentication Authentication Local Authentication ProcessTerminal must initiate a new session before trying again Encryption Options in the Switch Using the Encryption KeyGeneral Operation ProCurveconfig# tacacs-server key north40campus Tacacs-server configuration Messages Related to TACACS+ OperationOperating Notes CLI Message Meaning TACACS+ Authentication Radius Authentication and Accounting Web Series 2600, 2600-PWR, and 2800 switches Port-Access Radius Authentication and Accounting Host See Radius Server Switch Operating Rules for Radius General Radius Setup Procedure Preparation for Configuring Radius on the Switch Configuring the Switch for Radius Authentication Radius Authentication Commands Outline of the Steps for Configuring Radius Authentication Radius server documentation Radius Authentication and Accounting Example Configuration for Radius Authentication Configure the Switch To Access a Radius Server Configuring Radius Accounting instead of continuing here Radius Authentication and Accounting Configure the Switch’s Global Radius Parameters T e Radius Authentication and Accounting Listings of Global Radius Parameters Configured In Figure Local Authentication Process Configuring Radius Accounting Radius Accounting Commands Access methods Configured one or more Radius servers to support the switchUnder Port-Based Access Control This section assumes you have already Steps for Configuring Radius Accounting Operating Rules for Radius Accounting Configure the Switch To Access a Radius Server Key key-string Radius Authentication and Accounting Start-Stop Syntax no aaa accounting update periodic 1 Viewing Radius Statistics General Radius Statistics Values for Show Radius Host Output Figure Term Definition Radius Authentication Statistics Syntax show authentication 14. Listing the Accounting Configuration in the Switch Radius Accounting Statistics Changing RADIUS-Server Access Order 17. Search Order for Accessing a Radius Server 18. Example of New Radius Server Search Order Messages Related to Radius Operation Message Meaning This page is intentionally unused Configuring Secure Shell SSH Client Public Key Authentication Model Configuring Secure Shell SSH Use a key to authenticate itself to the switch Using these algorithms unless otherwise noted Terminology Prerequisite for Using SSH Public Key Formats SSH Options AuthenticationPrimary SSH Configuring Secure Shell SSH General Operating Rules and Notes Assign Local Login Operator and Enable Manager Password Configuring the Switch for SSH OperationSSH-Related Commands in This Section Generate the Switch’s Public and Private Key Pair Example of Configuring Local Passwords CLI kill command To the switch using the earlier pairPair automatically disables SSH For example, to generate and display a new key Provide the Switch’s Public Key to ClientsOperation Example of a Public Key Generated by the Switch Inserted Bit Exponent e Modulus n Switch’s Public and Private Key Pair on To enable SSH on the switch Always 896 bits 49, 80, 1506, Configure the Switch for SSH Authentication U t i o n T e Option B Configuring the Switch for Client Public-Key SSH Copies a public key file into the switch Further Information on SSH Client Public-Key Authentication Use an SSH Client To Access the Switch Configuring Secure Shell SSH 14. Example of a Client Public Key Property Supported Comments Value Ascii Deletes the client-public-key file from the switch U t i o n Messages Related to SSH Operation 00000K Peer unreachable Generating new RSA host key. If Configuring Secure Socket Layer SSL Steps for Configuring and Using SSL for Switch Server Certificate authentication with User Password Configuring Secure Socket Layer SSL RC4 40-bit, 128-bit 3DES 168-bit, 112 EffectiveOtherwise noted Configuring Secure Socket Layer SSL Prerequisite for Using SSL General Operating Rules and Notes Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Security Tab Password Button Generate the Switch’s Server Host Certificate Particular switch/client session, and then discardedVerified unequivocally Earlier certificate To Generate or Erase the Switch’s Server Certificate with CLI Comments on Certificate Fields Certificate Field DescriptionsFor example, to generate a key and a new host certificate Field Name Description Can resume SSL operation For example, to display the new server host certificate Configuring Secure Socket Layer SSL Configuring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Example of a Certificate Request and Reply T e Using the CLI interface to enable SSL Using the web browser interface to enable SSLZeroize the switch’s host certificate or certificate key. Execute no web-management ssl Enable SLL Port number Selection Common Errors in SSL Setup Error During Possible Cause This page is intentionally unused Configuring Port-Based Access Control Operating Rules for Authorized-Client Configuring Port-Based Access Control Why Use Port-Based Access Control? Configuring Port-Based Access Control Example of an 802.1X Application How 802.1X Operates Switch-Port Supplicant Operation Example of Supplicant Operation Authenticator at the same time 802.1X standard General Operating Rules and Notes Configuring Port-Based Access Control General Setup Procedure for Port-Based Access Control Do These Steps Before You Configure 802.1X Operation Overview Configuring 802.1X Authentication on Switch Authenticators operate as expected Configuring Port-Based Access Control Enable 802.1X Authentication on Selected Ports Configuring Switch Ports as 802.1X Authenticators802.1X Authentication Commands Quiet-period 0 Max-requests 1 Clears authenticator statistics counters Configure the 802.1X Authentication Method Example of 802.1X Port-Access Authentication Enable 802.1X Authentication on the Switch Enter the Radius Host IP Addresses 802.1X-Related Show Commands Radius server configuration 802.1X Open Vlan ModeIntroduction Use Models for 802.1X Open Vlan Modes Membership in the Vlan 1X Open Vlan Mode Options 802.1X Open Vlan Mode 802.1X Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Setting Up and Configuring 802.1X Open Vlan Mode Before you configure the 802.1X Open Vlan mode on a port Mised by an unauthorized client Port-Security To Allow Only 802.1X Devices on Activate authentication on the switchVlan Operation ProCurveconfig# aaa authentication port-access eap-radius 802.1X Open Vlan Operating Notes ProCurveconfig# aaa port-access authenticator e A10 Enables 802.1X authentication on the port 802.1X Authentication Commands 802.1X Supplicant Commands Default supplicant parameters or any previously configured Syntax aaa port-access supplicant ethernet port-list Enter secret password Repeat secret password Max-start 1 Displaying 802.1X Configuration Statistics, and Counters Show Commands for Port-Access Authenticator Show port-access authenticator Syntax Config e port-list Viewing 802.1X Open Vlan Mode Status Open Vlan Mode Status 802.1X authenticationAccess Control Authenticator Current Vlan ID Status Indicator MeaningNo Pvid The port is not an untagged member of any Vlan Supplicant port detects a different authenticator device Show Commands for Port-Access SupplicantSwitch reboots How RADIUS/802.1X Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment Messages Related to 802.1X Operation 1X Operating Messages Configuring and Monitoring Port Security Basic Operation Configuring and Monitoring Port SecurityCast traffic Blocking Unauthorized Traffic Physical Topology Logical Topology for Access to Switch a Switch BSwitch a Switch C Planning Port Security Port Security Command Options Operation Port Security Commands Used in This SectionCommands Acquires and maintains authorized addresses 080090-1362f2 00f031-423fc1 4 b0-880a80 the authorized address Address-limit integer Clear-intrusion-flag Displaying Current Port Security Settings Retention of Static MAC AddressesLearned MAC Addresses Assigned/Authorized MAC Addresses Using the CLI To Display Port Security Settings Configuring Port Security Specifying Authorized Devices and Intrusion Responses Adding a MAC Address to an Existing Port List Example of Adding an Authorized Device to a Port Example of Adding a Second Authorized Device to a Port Device’s MAC address. For example See the MAC Address entry in the table on Address configuration. Refer to the Note on Remove 0c0090-123456 from the Authorized Address list MAC Lockdown Example of Port A1 After Removing One MAC Address Configuring and Monitoring Port Security Differences Between MAC Lockdown and Port Security MAC Lockdown Operating Notes Deploying MAC Lockdown MAC Lockdown Deployed At the Network Edge Provides Security Address and stealing data Edge switchesInside the Core Network as well, not just on the edge External Network X e d U s e r s MAC Lockout 11. Listing Locked Down Ports Configuring and Monitoring Port Security Port Security and MAC Lockout 12. Listing Locked Out Ports Using the IP Lockdown Command IP lockdown command operates as followsIP Lockdown Operating Rules for IP Lockdown Web Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert FlagsLog command displays the Event Log Click on Port Security How the Intrusion Log Operates Resetting Alert Flags FlagsAs follows It detects Type I Intrusion log to display the Intrusion Log 15. Example of the Intrusion Log Display Configuring and Monitoring Port Security List intrusion log content 18. Example of Port Status Screen After Alert Flags Reset Using the Event Log To Find Intrusion Alerts Event Log lists port security intrusions as Operating Notes for Port Security Configuring and Monitoring Port Security ProCurve Series 2600/2600-PWR and 2800 Switches Traffic/Security Filters 10-2 Filter for the Actions Shown in Figure 10-3 Using Source-Port Filters Operating Rules for Source-Port Filters Configuring a Source-Port Filter 10-5 ProCurveconfig# filter source-port trk1 drop trk2,10-15 10-6 10-7 Viewing a Source-Port FilterSource Port Destination Action Ports Filter Indexing 10-8 Editing a Source-Port Filter 10-9 Using Named Source-Port Filters Defining and Configuring Named Source-Port FiltersOperating Rules for Named Source-Port Filters 10-10 10-11 Viewing a Named Source-Port Filter Sample Configuration for Named Source-Port Filters10-12 Applying Example Named Source-Port Filters 10-14 Source Port 10-15 10-16 10-17 10-18 Using Authorized IP Managers Operating Notes 11-1 Authorized IP Manager Features Using Authorized IP Managers Configuration Options Access LevelsYou can configure Overview of IP Mask Operation Defining Authorized Management Stations11-4 Menu Viewing and Configuring IP Authorized Managers Switch Configuration … IP Authorized ManagersFrom the console Main Menu, select 11-5 Listing the Switch’s Current Authorized IP Managers CLI Viewing and Configuring Authorized IP ManagersAuthorized IP Managers Commands Used in This Section 11-7 Configuring IP Authorized Managers for the SwitchIP Mask Address of the authorized manager you want to delete 11-8 Web Configuring IP Authorized Managers Configuring One Station Per Authorized Manager IP EntryBuilding IP Masks Analysis of IP Mask for Single-Station Entries 11-10 Any value from 0 to Additional Examples for Authorizing Multiple Stations 11-11 Operating Notes Index Index See RADIUS. message See SSH. proxy Web server … Quick start … Show accounting … 5-28 show authentication … See RADIUS. troubleshooting Vlan This page is intentionally unused December