Access Security Guide
Page
Access Security Guide
December
Publication Number
Contents
Contents Overview Client Options General Features
Configuring the Switch To Access a Radius Server
Terminology Operating Rules and Notes
General Authentication Process Using a TACACS+ Server
Viewing the Switch’s Current Authentication Configuration
Configuring the Switch’s TACACS+ Server Access
Messages Related to TACACS+ Operation Operating Notes
Configuring Secure Shell SSH
Local Authentication Process
Generate the Switch’s Server Host Certificate
Common Errors in SSL Setup
Vii
Configuring and Monitoring Port Security
Viii
Contents
Access Levels
Operating Notes for Port Security
Web Configuring IP Authorized Managers
About Your Switch Manual Set
Switch manual set includes the following
Configuration Management Guide
Feature Index
Feature
Xii
Product Documentation Feature
Xiii
Xiv
Tftp
Contents
Getting Started
Introduction
Overview of Access Security Features
Access security features covered in this guide include
Getting Started
Management Access Security Protection
Fabric than if you use only local passwords
General Switch Traffic Security Guidelines
Management Access Security Protection
Feature Descriptions by Model
Command Syntax Statements
Conventions
Command Prompts
Screen Simulations
Port Identity Examples
Sources for More Information
Getting Help in the Menu Interface
IP Addressing
Run Setup
Need Only a Quick Start?
Main Menu of the Menu interface, select
To Set Up and Install the Switch in Your Network
Interpreting LED behavior
This page is intentionally unused
Configuring Username and Password Security
Overview
Web browser interface
T e U t i o n
To set a new password
Configuring Local Password Security
Menu Setting Passwords
Console Passwords
CLI Setting Passwords and Usernames
Continue Deletion of password protection? No
Commands Used in This Section
Web Setting Passwords and Usernames
Click on Device Passwords
Click on the Security tab
When Security Is Important
Front-Panel Security
ResetClear
Front-Panel Button Functions
Clear Button
Reset Button
Restoring the Factory Default Configuration
Press and hold the Reset button
Configuring Front-Panel Security
ResetClear Self Test
Syntax show front-panel-security
Default Front-Panel Security Settings
Either form of the command enables password-clear
Changing the Operation of the Reset+Clear Combination
Example of Re-Enabling the Clear Button’s Default Operation
Default configuration settings
Password Recovery
Disabling or Re-Enabling the Password Recovery Process
Management access to the switch
Steps for Disabling Password-Recovery
No front-panel-security password-recovery
Password Recovery Process
11. Example of the Steps for Disabling Password-Recovery
This page is intentionally unused
Overview Client Options General Features
Overview
Lock a particular device to a specific switch and port
Client Options
Radius server uses the device MAC address as the username
General Features
How Web and MAC Authentication Operate
Authenticator Operation
Web-based Authentication
Progress Message During Authentication
MAC-based Authentication
How Web and MAC Authentication Operate
Terminology
Operating Rules and Notes
Management
Operating Rules and Notes
General Setup Procedure for Web/MAC Authentication
Do These Steps Before You Configure Web/MAC Authentication
General Setup Procedure for Web/MAC Authentication
Addresses
Aabbcc-ddeeff Aa-bb-cc-dd-ee-ff Aabbccddeeff
Configuring the Switch To Access a Radius Server
Radius Server Configuration Commands
Example of Configuring a Switch To Access a Radius Server
Configuring Web Authentication
Overview
Configure the Switch for Web-Based Authentication
Command Configuration Level
Syntax no aaa port-access web-based e port-list
Syntax aaa port-access web-based e port-list max-requests
Default 30 seconds
Configuring MAC Authentication on Switch
Configure the Switch for MAC-Based Authentication
Syntax
Default 30seconds
Show Status and Configuration Web-Based Authentication
Command
Show Status and Configuration of MAC-Based Authentication
Syntax show port-access port-list mac-based clients
Show Client Status
Timed out-unauth vlan
This page is intentionally unused
TACACS+ Authentication
TACACS+ Authentication
Example of TACACS+ Operation
Terminology Used in Tacacs Applications
TACACS+ Authentication
General Authentication Setup Procedure
General System Requirements
Using the Encryption Key on
Determine the following
TACACS+ Authentication
Configuring TACACS+ on the Switch
Switch offers three command areas for TACACS+ operation
Before You Begin
CLI Commands Described in this Section
Viewing the Switch’s Current Authentication Configuration
This example shows the default authentication configuration
Example of the Switch’s TACACS+ Configuration Listing
Configuring the Switch’s Authentication Methods
Authentication for the access being configured is local
AAA Authentication Parameters
Name Default Range Function
Method/privilege path. Available only if the primary method
Primary/Secondary Authentication Table
Login Primary to Local authentication
ProCurve config# aaa authentication num-attempts
Configuring the Switch’s TACACS+ Server Access
Switch or your TACACS+ server
Syntax tacacs-server host ip-addr key key-string
Details on Configuring Tacacs Servers and Keys
Name Default Range Tacacs-server host ip-addr None
Name Default Range Key key-string None null
Timeout 1
ProCurveconfig# no tacacs-server host
To configure north01 as a per-server encryption key
How Authentication Operates
General Authentication Process Using a TACACS+ Server
Changes without executing write mem
TACACS+ Authentication
Local Authentication Process
Authentication
Terminal must initiate a new session before trying again
Using the Encryption Key
Encryption Options in the Switch
General Operation
ProCurveconfig# tacacs-server key north40campus
Operating Notes
Tacacs-server configuration
Messages Related to TACACS+ Operation
CLI Message Meaning
TACACS+ Authentication
Radius Authentication and Accounting
Web Series 2600, 2600-PWR, and 2800 switches Port-Access
Radius Authentication and Accounting
Host See Radius Server
Switch Operating Rules for Radius
General Radius Setup Procedure
Preparation for Configuring Radius on the Switch
Configuring the Switch for Radius Authentication
Radius Authentication Commands
Outline of the Steps for Configuring Radius Authentication
Radius server documentation
Radius Authentication and Accounting
Example Configuration for Radius Authentication
Configure the Switch To Access a Radius Server
Configuring Radius Accounting instead of continuing here
Radius Authentication and Accounting
Configure the Switch’s Global Radius Parameters
T e
Radius Authentication and Accounting
Listings of Global Radius Parameters Configured In Figure
Local Authentication Process
Configuring Radius Accounting
Radius Accounting Commands
Under Port-Based Access Control
Access methods
Configured one or more Radius servers to support the switch
This section assumes you have already
Steps for Configuring Radius Accounting
Operating Rules for Radius Accounting
Configure the Switch To Access a Radius Server
Key key-string
Radius Authentication and Accounting
Start-Stop
Syntax no aaa accounting update periodic 1
Viewing Radius Statistics
General Radius Statistics
Values for Show Radius Host Output Figure
Term Definition
Radius Authentication Statistics
Syntax show authentication
14. Listing the Accounting Configuration in the Switch
Radius Accounting Statistics
Changing RADIUS-Server Access Order
17. Search Order for Accessing a Radius Server
18. Example of New Radius Server Search Order
Messages Related to Radius Operation
Message Meaning
This page is intentionally unused
Configuring Secure Shell SSH
Client Public Key Authentication Model
Configuring Secure Shell SSH
Use a key to authenticate itself to the switch
Using these algorithms unless otherwise noted
Terminology
Prerequisite for Using SSH
Public Key Formats
Authentication
SSH Options
Primary SSH
Configuring Secure Shell SSH
General Operating Rules and Notes
Configuring the Switch for SSH Operation
Assign Local Login Operator and Enable Manager Password
SSH-Related Commands in This Section
Generate the Switch’s Public and Private Key Pair
Example of Configuring Local Passwords
To the switch using the earlier pair
CLI kill command
Pair automatically disables SSH
Provide the Switch’s Public Key to Clients
For example, to generate and display a new key
Operation
Example of a Public Key Generated by the Switch
Inserted Bit Exponent e Modulus n
Switch’s Public and Private Key Pair on
To enable SSH on the switch
Always 896 bits
49, 80, 1506,
Configure the Switch for SSH Authentication
U t i o n T e
Option B Configuring the Switch for Client Public-Key SSH
Copies a public key file into the switch
Further Information on SSH Client Public-Key Authentication
Use an SSH Client To Access the Switch
Configuring Secure Shell SSH
14. Example of a Client Public Key
Property Supported Comments Value
Ascii
Deletes the client-public-key file from the switch
U t i o n
Messages Related to SSH Operation
00000K Peer unreachable
Generating new RSA host key. If
Configuring Secure Socket Layer SSL
Steps for Configuring and Using SSL for Switch
Server Certificate authentication with User Password
Configuring Secure Socket Layer SSL
3DES 168-bit, 112 Effective
RC4 40-bit, 128-bit
Otherwise noted
Configuring Secure Socket Layer SSL
Prerequisite for Using SSL
General Operating Rules and Notes
Configuring the Switch for SSL Operation
SSL-Related CLI Commands in This Section
Security Tab Password Button
Verified unequivocally
Generate the Switch’s Server Host Certificate
Particular switch/client session, and then discarded
Earlier certificate
To Generate or Erase the Switch’s Server Certificate with
CLI
For example, to generate a key and a new host certificate
Comments on Certificate Fields
Certificate Field Descriptions
Field Name Description
Can resume SSL operation
For example, to display the new server host certificate
Configuring Secure Socket Layer SSL
Configuring Secure Socket Layer SSL
Web browser Interface showing current SSL Host Certificate
Configuring Secure Socket Layer SSL
Example of a Certificate Request and Reply
T e
Zeroize the switch’s host certificate or certificate key.
Using the CLI interface to enable SSL
Using the web browser interface to enable SSL
Execute no web-management ssl
Enable SLL Port number Selection
Common Errors in SSL Setup
Error During Possible Cause
This page is intentionally unused
Configuring Port-Based Access Control
Operating Rules for Authorized-Client
Configuring Port-Based Access Control
Why Use Port-Based Access Control?
Configuring Port-Based Access Control
Example of an 802.1X Application
How 802.1X Operates
Switch-Port Supplicant Operation
Example of Supplicant Operation
Authenticator at the same time
802.1X standard
General Operating Rules and Notes
Configuring Port-Based Access Control
General Setup Procedure for Port-Based Access Control
Do These Steps Before You Configure 802.1X Operation
Overview Configuring 802.1X Authentication on Switch
Authenticators operate as expected
Configuring Port-Based Access Control
Configuring Switch Ports as 802.1X Authenticators
Enable 802.1X Authentication on Selected Ports
802.1X Authentication Commands
Quiet-period 0
Max-requests 1
Clears authenticator statistics counters
Configure the 802.1X Authentication Method
Example of 802.1X Port-Access Authentication
Enable 802.1X Authentication on the Switch
Enter the Radius Host IP Addresses
802.1X Open Vlan Mode
802.1X-Related Show Commands Radius server configuration
Introduction
Use Models for 802.1X Open Vlan Modes
Membership in the Vlan
1X Open Vlan Mode Options
802.1X Open Vlan Mode
802.1X Per-Port Configuration Port Response
Condition Rule
Multiple Authenticator Ports Using
Setting Up and Configuring 802.1X Open Vlan Mode
Before you configure the 802.1X Open Vlan mode on a port
Mised by an unauthorized client
Activate authentication on the switch
Port-Security To Allow Only 802.1X Devices on
Vlan Operation
ProCurveconfig# aaa authentication port-access eap-radius
802.1X Open Vlan Operating Notes
ProCurveconfig# aaa port-access authenticator e A10
Enables 802.1X authentication on the port
802.1X Authentication Commands 802.1X Supplicant Commands
Default supplicant parameters or any previously configured
Syntax aaa port-access supplicant ethernet port-list
Enter secret password Repeat secret password
Max-start 1
Displaying 802.1X Configuration Statistics, and Counters
Show Commands for Port-Access Authenticator
Show port-access authenticator Syntax Config e port-list
Viewing 802.1X Open Vlan Mode Status
Access Control
Open Vlan Mode Status
802.1X authentication
Authenticator
Status Indicator Meaning
Current Vlan ID
No Pvid The port is not an untagged member of any Vlan
Show Commands for Port-Access Supplicant
Supplicant port detects a different authenticator device
Switch reboots
How RADIUS/802.1X Authentication Affects Vlan Operation
Example of an Active Vlan Configuration
Otherwise, port A2 is not listed
Assignment
Messages Related to 802.1X Operation
1X Operating Messages
Configuring and Monitoring Port Security
Configuring and Monitoring Port Security
Basic Operation
Cast traffic
Blocking Unauthorized Traffic
Switch a
Physical Topology Logical Topology for Access to Switch a
Switch B
Switch C
Planning Port Security
Commands
Port Security Command Options Operation
Port Security Commands Used in This Section
Acquires and maintains authorized addresses
080090-1362f2
00f031-423fc1 4 b0-880a80 the authorized address
Address-limit integer
Clear-intrusion-flag
Learned MAC Addresses
Displaying Current Port Security Settings
Retention of Static MAC Addresses
Assigned/Authorized MAC Addresses
Using the CLI To Display Port Security Settings
Configuring Port Security
Specifying Authorized Devices and Intrusion Responses
Adding a MAC Address to an Existing Port List
Example of Adding an Authorized Device to a Port
Example of Adding a Second Authorized Device to a Port
Device’s MAC address. For example
See the MAC Address entry in the table on
Address configuration. Refer to the Note on
Remove 0c0090-123456 from the Authorized Address list
MAC Lockdown
Example of Port A1 After Removing One MAC Address
Configuring and Monitoring Port Security
Differences Between MAC Lockdown and Port Security
MAC Lockdown Operating Notes
Deploying MAC Lockdown
MAC Lockdown Deployed At the Network Edge Provides Security
Edge switches
Address and stealing data
Inside the Core Network as well, not just on the edge
External Network X e d U s e r s
MAC Lockout
11. Listing Locked Down Ports
Configuring and Monitoring Port Security
Port Security and MAC Lockout
12. Listing Locked Out Ports
IP Lockdown
Using the IP Lockdown Command
IP lockdown command operates as follows
Operating Rules for IP Lockdown
Log command displays the Event Log
Web Displaying and Configuring Port Security Features
Reading Intrusion Alerts and Resetting Alert Flags
Click on Port Security
How the Intrusion Log Operates
As follows
Resetting Alert Flags
Flags
It detects
Type I Intrusion log to display the Intrusion Log
15. Example of the Intrusion Log Display
Configuring and Monitoring Port Security
List intrusion log content
18. Example of Port Status Screen After Alert Flags Reset
Using the Event Log To Find Intrusion Alerts
Event Log lists port security intrusions as
Operating Notes for Port Security
Configuring and Monitoring Port Security
ProCurve Series 2600/2600-PWR and 2800 Switches
Traffic/Security Filters
10-2
Filter for the Actions Shown in Figure
10-3
Using Source-Port Filters
Operating Rules for Source-Port Filters
Configuring a Source-Port Filter
10-5
ProCurveconfig# filter source-port trk1 drop trk2,10-15
10-6
Viewing a Source-Port Filter
10-7
Source Port Destination Action Ports
Filter Indexing
10-8
Editing a Source-Port Filter
10-9
Operating Rules for Named Source-Port Filters
Using Named Source-Port Filters
Defining and Configuring Named Source-Port Filters
10-10
10-11
Sample Configuration for Named Source-Port Filters
Viewing a Named Source-Port Filter
10-12
Applying Example Named Source-Port Filters
10-14
Source Port
10-15
10-16
10-17
10-18
Using Authorized IP Managers
Operating Notes 11-1
Authorized IP Manager Features
Using Authorized IP Managers
Access Levels
Configuration Options
You can configure
Defining Authorized Management Stations
Overview of IP Mask Operation
11-4
From the console Main Menu, select
Menu Viewing and Configuring IP Authorized Managers
Switch Configuration … IP Authorized Managers
11-5
CLI Viewing and Configuring Authorized IP Managers
Listing the Switch’s Current Authorized IP Managers
Authorized IP Managers Commands Used in This Section
Configuring IP Authorized Managers for the Switch
11-7
IP Mask
Address of the authorized manager you want to delete
11-8
Building IP Masks
Web Configuring IP Authorized Managers
Configuring One Station Per Authorized Manager IP Entry
Analysis of IP Mask for Single-Station Entries
11-10
Any value from 0 to
Additional Examples for Authorizing Multiple Stations
11-11
Operating Notes
Index
Index
See RADIUS. message
See SSH. proxy Web server … Quick start …
Show accounting … 5-28 show authentication …
See RADIUS. troubleshooting
Vlan
This page is intentionally unused
December
