Manuals
/
Brands
/
Computer Equipment
/
Switch
/
HP
/
Computer Equipment
/
Switch
HP
ProCurve manual
305
Models:
2600-PWR
2626 (J4900A/B)
2650 (J4899A/B)
4100
4100gl
6108
1
305
306
306
Download
306 pages, 2.08 Mb
— This page is intentionally unused. —
Contents
ProCurve Switches
Access Security Guide
Page
ProCurve
Switch 2600 Series
Switch 2600-PWRSeries
Switch 2800 Series
Switch 4100gl Series
Page
Contents
Product Documentation
1 Getting Started
2 Configuring Username and Password Security
3Web and MAC Authentication for the Series 2600/ 2600-PWRand 2800 Switches
4 TACACS+ Authentication
5 RADIUS Authentication and Accounting
6 Configuring Secure Shell (SSH)
7 Configuring Secure Socket Layer (SSL)
8 Configuring Port-BasedAccess Control (802.1X)
9 Configuring and Monitoring Port Security
10Traffic/Security Filters
(ProCurve Series 2600/2600-PWRand 2800 Switches)
11 Using Authorized IP Managers
Page
Product Documentation
Feature Index
Page
Page
Getting Started
Introduction
http://www.procurve.com
Overview of Access Security Features
TACACS+ Authentication
RADIUS Authentication and Accounting
Port-Based
Traffic/Security Filters
Authorized IP Managers
Table 1-1.Management Access Security Protection
Conventions
bold italics
Series
2600/2600-PWR
and 2800 Switches
hostname
Figure 1-1.Example of a Figure Showing a Simulated Screen
Sources for More Information
http://www.procurve.com
Technical support
Product manuals
Figure 1-2.Getting Help in the Menu Interface
Need Only a Quick Start
setup
8.Run Setup
Important
Page
Configuring Username and Password Security
Page
Caution
Inactivity Time
Configuring Local Password Security
Figure 2-1.The Set Password Screen
Enter new password again
To Delete Password Protection (Including Recovery from a Lost
Password):
Set Passwords
Delete Password Protection
Continue Deletion of password protection? No
Yes
Configuring Manager and Operator Passwords
Figure 2-3.Removing a Password and Associated Username from the Switch
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface
Front-PanelSecurity
Figure 2-4.Example Front-PanelButton Locations
Figure 2-5.Press the Clear Button for One Second To Reset the Password(s)
Figure 2-6.Press and hold the Reset Button for One Second To Reboot the Switch
front-panel-security
Clear Password:
Disabled
Password Recovery:
CAUTION:
Figure 2-7.The Default Front-PanelSecurity Settings
reset-on-clear
Disabled
password-clear
Figure 2-9.Example of Re-Enablingthe Clear Button’s Default Operation
Default:
Notes:
Figure 2-10.Example of Disabling the Factory Reset Option
C a u t i o n
Note: To disable password-recovery:
Steps for Disabling Password-Recovery
factory- reset
no front-panel-security password-recovery
CAUTION
Figure 2-11.Example of the Steps for Disabling Password-Recovery
N o t e
Page
Web and MAC Authentication for the Series 2600/2600-PWRand 2800 Switches
Applicable Switch Models
Web Authentication
(Web-Auth)
Page
Page
How Web and MAC Authentication Operate
Figure 3-1.Example of User Login Screen
dhcp-addr
dhcp-lease
port-access
Figure 3-2.Progress Message During Authentication
client-limit
redirect-url
Figure 3-3.Authentication Completed
client-moves
unauth- vid
addr-format
addr-limit
reauth-period
reauthenticate
logoff-period
addr-moves
server-timeout
Authorized-Client
Authentication Server:
CHAP:
Client:
Redirect URL:
Operating Rules and Notes
Note on Port
Access
Management
Page
Note on Web
MAC Authentication and LACP
General Setup Procedure for Web/MAC Authentication
Page
aabbccddeeff
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
Note on MAC
Configuring the Switch To Access a RADIUS Server
Figure 3-4.Example of Configuring a Switch To Access a RADIUS Server
Configuring Web Authentication
ping
Page
Page
Page
Page
Configuring MAC Authentication on the
Switch
no-delimiter
single-dash
multi-dash
multi-colon
Page
Page
Show Status and Configuration of
Web-BasedAuthentication
Show Status and Configuration of MAC-BasedAuthentication
Page
Show Client Status
show... clients’
Page
TACACS+ Authentication
A3 or
A2 or
Figure 4-1.Example of TACACS+ Operation
Notes
Terminology Used in TACACS
Applications:
Authentication:
Page
General System Requirements
General Authentication Setup Procedure
Page
Note on Privilege Levels
telnet login
telnet enable
write memory
Configuring TACACS+ on the Switch
show authentication
aaa authentication:
tacacs-server:
Syntax
Figure 4-2.Example Listing of the Switch’s Authentication Configuration
Syntax:
paris-1
show tacacs
Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing
radius
Table 4-1.AAA Authentication Parameters
Table 4-2.Primary/Secondary Authentication Table
Caution Regarding
Login Primary
Page
The host IP address(es)
The timeout value
aaa authentication
Note on Encryption Keys
Table 4-3.Details on Configuring TACACS Servers and Keys
Adding, Removing, or Changing the Priority of a TACACS+ Server
Figure 4-4.Example of the Switch with Two TACACS+ Server Addresses Configured
Figure
Configuring an Encryption Key
How Authentication Operates
Figure 4-6.Using a TACACS+ Server for Authentication
Page
Local
Global key:
Server-Specific
key:
Controlling Web Browser Interface
Access When Using TACACS+
Messages Related to TACACS+
Operation
server
tacacs-server configuration
Operating Notes
Page
RADIUS Authentication and Accounting
Page
Host: See RADIUS Server
NAS (Network Access Server):
RADIUS (Remote Authentication Dial In User Service):
RADIUS Client:
RADIUS Host:
Switch Operating Rules for RADIUS
General RADIUS Setup Procedure
Preparation:
Table 5-1.Preparation for Configuring RADIUS on the Switch
Figure 5-1.Example of Possible RADIUS Access Assignments
Configuring the Switch for RADIUS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Local Authentication Process
Controlling Web Browser Interface Access When Using RADIUS Authentication
Configuring RADIUS Accounting
Network accounting:
System accounting:
Page
key
key-string
Accounting types:
Trigger for sending accounting reports to a RADIUS server:
Updating:
Page
Exec:
exec
System:
system
system
■Start-Stop:
start-stop
■Stop-Only:
stop-only
Figure 5-8.Example of Configuring Accounting Types
Updates:
Suppress:
Viewing RADIUS Statistics
Figure 5-11.RADIUS Server Information From the Show Radius Host Command
Table 5-2.Values for Show Radius Host Output (Figure 5-11)
Figure 5-12.Example of Login Attempt and Primary/Secondary Authentication
Information from the Show Authentication Command
Figure 5-13.Example of RADIUS Authentication Information from a Specific Server
Figure 5-14.Listing the Accounting Configuration in the Switch
Figure 5-15.Example of RADIUS Accounting Information for a Specific Server
Changing RADIUS-ServerAccess Order
Figure 5-17.Search Order for Accessing a RADIUS Server
Figure 5-18.Example of New RADIUS Server Search Order
Messages Related to RADIUS Operation
Page
Configuring Secure Shell (SSH)
Client Public Key Authentication (Login/Operator Level) with User
Figure 6-1.Client Public Key Authentication Model
http://www.openssh.com
Figure 6-2.Switch/User Authentication
SSH Server:
Key Pair:
PEM (Privacy Enhanced Mode):
Private Key:
Enable Level:
Prerequisite for Using SSH
Public Key Formats
Steps for Configuring and Using SSH for
Switch and Client Authentication
Table
SSH Options
login public- key
erase
startup-config
Configuring the Switch for SSH
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Further Information on SSH Client
Public-KeyAuthentication
Page
aaa authentication ssh
Figure 6-14.Example of a Client Public Key
Note on Public
Keys
smith@fellow
fingerprint
clear crypto
public-key
Page
Messages Related to SSH Operation
tftp
Page
Configuring Secure Socket Layer (SSL)
http://www.openssl.com
Server Certificate authentication with User Password
Authentication
Figure 7-1.Switch/User Authentication
SSL Server:
Manager Level:
Operator Level:
SSL Enabled:
crypto key generate cert [key size]
crypto
Prerequisite for Using SSL
Steps for Configuring and Using SSL for Switch and Client Authentication
Page
Configuring the Switch for SSL
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Common Errors in SSL Setup
Page
Configuring Port-BasedAccess Control (802.1X)
Page
Page
Page
Figure 8-1.Example of an 802.1X Application
How 802.1X Operates
Figure 8-2.Example of Supplicant Operation
Authenticator:
CHAP (MD5):
EAP
EAPOL:
Friendly Client:
MD5:
PVID (Port VID):
Page
Error configuring port X: LACP and 802.1X cannot be run together
Note on
and LACP
General Setup Procedure for Port-Based
Access Control (802.1X)
eap-radius
chap-radius
radius host
Page
Configuring Switch Ports as 802.1X Authenticators
authorized:
unauthorized:
max-requests
(Syntax Continued)
control auto
Figure 8-3.Example of 802.1X (Port-Access)Authentication
Page
802.1X Open VLAN Mode
1st Priority:
2nd Priority:
Table 8-1.802.1X Open VLAN Mode Options
802.1X Per-PortConfiguration
Port Response
both
Only
Unauthorized-Client
VLAN
Authorized-Client
Condition
Rule
Page
Page
Page
Page
rad4all
Page
Option For Authenticator Ports:
Configure Port-SecurityTo Allow Only
802.1X Devices
Note on Blocking a Non- 802.1X Device
control
authorized
authorized
Configuring Switch Ports To Operate As
Supplicants for 802.1X Connections to
Other Switches
Figure 8-4.Example of Supplicant Operation
Page
identity
secret
Enter secret: < password
Repeat secret: < password
max-start
start-period
start- period
Displaying 802.1X Configuration
Statistics, and Counters
supplicant
Figure 8-5.Example Showing Ports Configured for Open VLAN Mode
Thus, in the show port-accessauthenticator output:
Auth VLAN ID
Current VLAN ID
Table 8-2.Open VLAN Mode Status
Figure 8-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode
secret
Connecting
supplicant statistics [e]
How RADIUS/802.1X Authentication
Affects VLAN Operation
If the Port Used by the Client Is Not Configured as an Untagged
Figure 8-7.Example of an Active VLAN Configuration
show vlan
show vlan
Page
Page
Messages Related to 802.1X Operation
Table 8-3.802.1X Operating Messages
Configuring and Monitoring Port Security
Default Port Security Operation
continuous
Intruder Protection
Authorized (MAC) Addresses:
Figure 9-1.Example of How Port Security Controls Access
Planning Port Security
show log
Port Security Command Options and
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
MAC Lockdown
How It Works
Other Useful Information
Page
Limits
Event Log Messages
Page
Figure 9-9.MAC Lockdown Deployed At the Network Edge Provides Security
Page
Figure 9-10.Connectivity Problems Using MAC Lockdown with Multiple Paths
Displaying status
running-config
static-mac
Figure 9-11.Listing Locked Down Ports
MAC Lockout
lockout-mac
Figure 9-12.Listing Locked Out Ports
IP Lockdown
(eth-1)#
Web: Displaying and Configuring Port Security Features
Reading Intrusion Alerts and Resetting Alert Flags
–The show port-security intrusion-log command displays the Intrusion Log
log
Figure 9-13.Example of Multiple Intrusion Log Entries for the Same Port
Send-Disable
Operation
Figure 9-14.Example of Port Status Screen with Intrusion Alert on Port A3
Figure 9-15.Example of the Intrusion Log Display
prior to
Page
Figure 9-18.Example of Port Status Screen After Alert Flags Reset
Page
Operating Notes for Port Security
Page
Traffic/Security Filters
General Operation
Figure 10-1.Example of a Filter Blocking Traffic only from Port 5 to Server "A
Figure 10-2.The Filter for the Actions Shown in Figure
Using Source-PortFilters
trk1
trk2
trk6
Trk1
show filter
index
Figure 10-3.Example of Switch Response to Adding a Filtered Source Port to a
Trunk
Page
Figure 10-4.Example of Listing Filters and the Details of a Specific Filter
filter
source-port
Figure 10-5.Assigning Additional Destination Ports to an Existing Filter
no filter
named-filter
<filter-name
web-only
accounting
drop
Figure 6. Network Configuration for Named Source-PortFilters Example
Applying Example Named Source-PortFilters
Page
IDX
Value
Figure 10-7.Expanded Network Configuration for Named Source-PortFilters
Example
Action
Page
Using Authorized IP Managers
Authorized IP Manager Features
Access Levels
Manager:
Operator:
Defining Authorized Management
Stations
Authorizing Multiple Stations:
Manager
Operator
2.Switch Configuration …
7.IP Authorized Managers
Figure 11-1.Example of How To Add an Authorized Manager Entry
Figure 11-2.Example of How To Add an Authorized Manager Entry (Continued)
Edit
Delete
show ip
authorized-managers
Figure 11-3.Example of the Show IP Authorized-ManagerDisplay
To Delete an Authorized Manager Entry. This command uses the IP
Web: Configuring IP Authorized Managers
Building IP Masks
Table 11-1.Analysis of IP Mask for Single-StationEntries
Figure 11-5.Analysis of IP Mask for Multiple-StationEntries
Page
Duplicate IP Addresses:
Web Proxy Servers:
Numerics