Manuals
/
Brands
/
Computer Equipment
/
Switch
/
HP
/
Computer Equipment
/
Switch
HP
ProCurve 4100gl manual
1
1
228
228
Download
228 pages, 5.22 Mb
access security guide
hp procurve
series 4100gl switches
www.hp.com/go/hpprocurve
Contents
Page
Page
HP Procurve Series 4100GL
Switches
Page
Getting Started
1 Configuring Username and Password Security
2 TACACS+ Authentication
3 RADIUS Authentication and Accounting
4 Configuring Secure Shell (SSH)
5 Configuring Secure Socket Layer (SSL)
6 Configuring Port-BasedAccess Control (802.1x)
7 Configuring and Monitoring Port Security
8 Using Authorized IP Managers
Page
Page
Getting Started
Introduction
Overview of Access Security Features
Table
Command Syntax Conventions
copy tftp
Simulating Display Output
hostname
Figure 1. Example of a Figure Showing a Simulated Screen
Related Publications
Page
Getting Documentation From the Web
2.Click on technical support
manuals
Sources for More Information
http://www.hp.com/go/hpprocurve
Need Only a Quick Start
IP Addressing
setup
8.Run Setup
Page
Configuring Username and Password Security
Note
Caution
Inactivity Time
Configuring Local Password Security
Figure 1-1.The Set Password Screen
Enter new password again
To Delete Password Protection (Including Recovery from a Lost
Password):
Set Passwords
Delete Password Protection
Continue Deletion of password protection? No
Configuring Manager and Operator Passwords
Figure 1-2.Example of Configuring Manager and Operator Passwords
Figure 1-3.Removing a Password and Associated Username from the Switch
To Configure (or Remove) Usernames and Passwords in the Web
Browser Interface
TACACS+ Authentication
A3 or
A2 or
Figure 2-1.Example of TACACS+ Operation
Notes Regarding
Software
Release G.05
Terminology Used in TACACS
Applications:
NAS (Network Access Server):
TACACS+ Server:
Authentication:
General System Requirements
Notes
General Authentication Setup Procedure
Note on
Privilege Levels
ping
write memory
Configuring TACACS+ on the Switch
show authentication
aaa authentication:
tacacs-server:
Figure 2-2.Example Listing of the Switch’s Authentication Configuration
paris-1
show tacacs
Figure 2-3.Example of the Switch’s TACACS+ Configuration Listing
Page
Table 2-1.AAA Authentication Parameters
Table 2-2.Primary/Secondary Authentication Table
Caution Regarding
Login Primary
Access
Console Login (Operator or Read-Only)Access: Primary using TACACS+ server
Secondary using Local
Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server
The host IP address(es)
The timeout value
aaa authentication
Note on Encryption Keys
Page
Adding, Removing, or Changing the Priority of a TACACS+ Server
Figure 2-4.Example of the Switch with Two TACACS+ Server Addresses
Configured
Figure
Configuring an Encryption Key
“Using the Encryption Key” on page
How Authentication Operates
Figure 2-6.Using a TACACS+ Server for Authentication
Page
Local
Global key:
Server-Specific
key:
Controlling Web Browser Interface
Access When Using TACACS+
Messages Related to TACACS+
Operation
server
tacacs-server configuration
Page
RADIUS Authentication and Accounting
Authentication
Host: See RADIUS Server
RADIUS (Remote Authentication Dial In User Service):
RADIUS Client:
RADIUS Host:
RADIUS Server:
Switch Operating Rules for RADIUS
General RADIUS Setup Procedure
Table 3-1.Preparation for Configuring RADIUS on the Switch
Figure 3-1.Example of Possible RADIUS Access Assignments
Configuring the Switch for RADIUS
Page
Page
Page
Page
Page
Page
Page
Local Authentication Process
Access When Using RADIUS
Configuring RADIUS Accounting
Network accounting:
Exec accounting:
System accounting:
Page
Page
Exec:
exec
System:
system
system
■Start-Stop:
start-stop
stop-only
Figure 3-8.Example of Configuring Accounting Types
Updates:
Suppress:
Syntax:[no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting
[no] aaa accounting suppress null-usernameDisablesaccounting for unknown
Viewing RADIUS Statistics
show radius
Figure 3-11.RADIUS Server Information From the Show Radius Host Command
Page
Figure 3-12.Example of Login Attempt and Primary/Secondary Authentication
Information from the Show Authentication Command
Figure 3-13.Example of RADIUS Authentication Information from a Specific Server
Figure 3-14.Listing the Accounting Configuration in the Switch
Figure 3-15.Example of RADIUS Accounting Information for a Specific Server
Changing RADIUS-ServerAccess Order
Figure 3-17.Search Order for Accessing a RADIUS Server
Figure 3-18.Example of New RADIUS Server Search Order
Messages Related to RADIUS Operation
Page
Configuring Secure Shell (SSH)
Client Public Key Authentication (Login/Operator Level) with User
Figure 4-1.Client Public Key Authentication Model
http:
www.openssh.com
Figure 4-2.Switch/User Authentication
SSH Server:
Key Pair:
Prerequisite for Using SSH
Public Key Formats
Steps for Configuring and Using SSH for
Switch and Client Authentication
SSH Options
Page
login public key
erase
startup-config
Configuring the Switch for SSH
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Further Information on SSH Client
Public-KeyAuthentication
Page
Page
Note on Public
Keys
smith@fellow
fingerprint
clear crypto
Page
Messages Related to SSH Operation
tftp
Page
Configuring Secure Socket Layer (SSL)
http:// www.openssl.com
Server Certificate authentication with User Password
Figure 5-1.Switch/User Authentication
SSL Server:
Self-Signed
Certificate:
Root Certificate:
Prerequisite for Using SSL
Steps for Configuring and Using SSL for
Page
Page
Configuring the Switch for SSL
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Common Errors in SSL setup
Page
Configuring Port-BasedAccess Control (802.1x)
Overview
Page
Authenticating One Switch to Another. 802.1x authentication also
Figure 6-1.Example of an 802.1x Application
Accounting
How 802.1x Operates
Figure 6-2.Example of Supplicant Operation
Authorized-Client
VLAN:
Authentication Server:
CHAP (MD5):
Client:
EAP
EAPOL :
Friendly Client:
MD5:
PVID (Port VID):
Page
Error configuring port X: LACP and 802.1x cannot be run together
and LACP
General Setup Procedure for Port-BasedAccess Control (802.1x)
eap-radius
chap-radius
radius host
Page
Configuring Switch Ports as
Authenticators
Page
(Syntax Continued)
max-requests
quiet period
Page
Figure 6-3.Example of 802.1x (Port-Access)Authentication
Page
802.1x Open VLAN Mode
1st Priority:
2nd Priority:
Unauthorized-Client
Table 6-1.802.1x Open VLAN Mode Options
802.1x Per-PortConfiguration
Port Response
Note:
Page
Condition
Rule
Page
Page
Page
Page
rad4all
Page
Option For Authenticator Ports:
Configure Port-SecurityTo Allow Only
802.1x Devices
Note on Blocking a Non- 802.1x Device
control
authorized
auto
authorized
Configuring Switch Ports To Operate As
Supplicants for 802.1x Connections to
Other Switches
Figure 6-4.Example of Supplicant Operation
Page
identity
secret
Enter secret: < password
Repeat secret: < password
max-start
start-period
start- period
Displaying 802.1x Configuration, Statistics, and Counters
supplicant
Figure 6-5.Example Showing Ports Configured for Open VLAN Mode
Thus, in the show port-accessauthenticator output:
Auth VLAN ID
Current VLAN ID
Table 6-1.Open VLAN Mode Status
Figure 6-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode
Connecting
port-access
supplicant statistics [e]
port-list
How RADIUS/802.1x Authentication Affects VLAN Operation
If the Port Used by the Client Is Not Configured as an Untagged
Figure 6-7.Example of an Active VLAN Configuration
show vlan
show vlan
Page
Page
Messages Related to 802.1x Operation
Table 6-2.802.1x Operating Messages
Page
Configuring and Monitoring Port Security
Basic Operation
Default Port Security Operation
Intruder Protection
Authorized (MAC) Addresses:
Blocking Unauthorized Traffic
Figure 7-1.Example of How Port Security Controls Access
Trunk Group Exclusion
Planning Port Security
show log
Port Security Command Options and
Page
Page
Page
Page
Page
Page
Page
Page
Web: Displaying and Configuring Port Security Features
Security
Reading Intrusion Alerts and Resetting Alert Flags
–The show port-security intrusion-log command displays the Intrusion Log
log
Figure 7-9.Example of Multiple Intrusion Log Entries for the Same Port
Send-Disable
Operation
Figure 7-10.Example of Port Status Screen with Intrusion Alert on Port A3
Figure 7-11.Example of the Intrusion Log Display
prior to
show interfaces brief
intrusion-log
Figure 7-14.Example of Port Status Screen After Alert Flags Reset
From the CLI
search-text
ffi
security
Operating Notes for Port Security
Page
Page
Using Authorized IP Managers
Using Authorized IP Managers
Authorized IP Manager Features
Options
Access Levels
Manager:
Operator:
Defining Authorized Management
Stations
Authorizing Multiple Stations:
Manager
Operator
2.Switch Configuration
7.IP Authorized Managers
Figure 8-1.Example of How To Add an Authorized Manager Entry
Figure 8-2.Example of How To Add an Authorized Manager Entry (Continued)
Edit
Delete
show ip
authorized-managers
Page
Web: Configuring IP Authorized
Managers
Building IP Masks
Figure 8-4.Analysis of IP Mask for Single-StationEntries
Page
Figure 8-5.Analysis of IP Mask for Multiple-StationEntries
Modem and Direct Console Access:
Duplicate IP Addresses:
Web Proxy Servers:
Page
Page
Numerics