Manuals / Brands / Computer Equipment / Switch / HP / Computer Equipment / Switch

HP ProCurve 4100gl none, none, none, login, public-key

1 228

Download 228 pages, 5.22 Mb

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Configures a password method for the primary and secondary enable (Manager) access. If you do not spec ify an optional secondary method, it defaults to none.

Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must:

1. Create a key pair on an SSH client.

2. Copy the client’s public key into a public-key file (which can contain up to ten client public-keys).

3. Copy the public-key file into a TFTP server accessible to the switch and download the file to the switch.

(For more on these topics, refer to “Further Information on SSH Client Public- Key Authentication” on page 4-22.)

With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public-keys. After the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.

Syntax: copy tftp pub-key-file < ip-address> < filename >

	Copies a public key file into the switch.
	aaa authentication ssh login public-key
	Configures the switch to authenticate a client public
	key at the login level with an optional secondary pass
	word method (default: none).

Caution	To allow SSH access only to clients having the correct public key, you must
	configure the secondary (password) method for login public-keyto none.
	Otherwise a client without the correct public key can still gain entry by
	submitting a correct local login password.

4-19

Contents

Page Page HP Procurve Series 4100GL Switches Page Getting Started 1 Configuring Username and Password Security 2 TACACS+ Authentication 3 RADIUS Authentication and Accounting 4 Configuring Secure Shell (SSH) 5 Configuring Secure Socket Layer (SSL) 6 Configuring Port-BasedAccess Control (802.1x) 7 Configuring and Monitoring Port Security 8 Using Authorized IP Managers Page Page Getting Started Introduction Overview of Access Security Features Table Command Syntax Conventions copy tftp Simulating Display Output hostname Figure 1. Example of a Figure Showing a Simulated Screen Related Publications Page Getting Documentation From the Web 2.Click on technical support manuals Sources for More Information http://www.hp.com/go/hpprocurve Need Only a Quick Start IP Addressing setup 8.Run Setup Page Configuring Username and Password Security Note Caution Inactivity Time Configuring Local Password Security Figure 1-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Configuring Manager and Operator Passwords Figure 1-2.Example of Configuring Manager and Operator Passwords Figure 1-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface TACACS+ Authentication A3 or A2 or Figure 2-1.Example of TACACS+ Operation Notes Regarding Software Release G.05 Terminology Used in TACACS Applications: NAS (Network Access Server): TACACS+ Server: Authentication: General System Requirements Notes General Authentication Setup Procedure Note on Privilege Levels ping write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Figure 2-2.Example Listing of the Switch’s Authentication Configuration paris-1 show tacacs Figure 2-3.Example of the Switch’s TACACS+ Configuration Listing Page Table 2-1.AAA Authentication Parameters Table 2-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Access Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 2-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key “Using the Encryption Key” on page How Authentication Operates Figure 2-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication and Accounting Authentication Host: See RADIUS Server RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: RADIUS Server: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Table 3-1.Preparation for Configuring RADIUS on the Switch Figure 3-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Local Authentication Process Access When Using RADIUS Configuring RADIUS Accounting Network accounting: Exec accounting: System accounting: Page Page Exec: exec System: system system ■Start-Stop: start-stop stop-only Figure 3-8.Example of Configuring Accounting Types Updates: Suppress: Syntax:[no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting [no] aaa accounting suppress null-usernameDisablesaccounting for unknown Viewing RADIUS Statistics show radius Figure 3-11.RADIUS Server Information From the Show Radius Host Command Page Figure 3-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 3-13.Example of RADIUS Authentication Information from a Specific Server Figure 3-14.Listing the Accounting Configuration in the Switch Figure 3-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 3-17.Search Order for Accessing a RADIUS Server Figure 3-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 4-1.Client Public Key Authentication Model http: www.openssh.com Figure 4-2.Switch/User Authentication SSH Server: Key Pair: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication SSH Options Page login public key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page Page Note on Public Keys smith@fellow fingerprint clear crypto Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http:// www.openssl.com Server Certificate authentication with User Password Figure 5-1.Switch/User Authentication SSL Server: Self-Signed Certificate: Root Certificate: Prerequisite for Using SSL Steps for Configuring and Using SSL for Page Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL setup Page Configuring Port-BasedAccess Control (802.1x) Overview Page Authenticating One Switch to Another. 802.1x authentication also Figure 6-1.Example of an 802.1x Application Accounting How 802.1x Operates Figure 6-2.Example of Supplicant Operation Authorized-Client VLAN: Authentication Server: CHAP (MD5): Client: EAP EAPOL : Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1x cannot be run together and LACP General Setup Procedure for Port-BasedAccess Control (802.1x) eap-radius chap-radius radius host Page Configuring Switch Ports as Authenticators Page (Syntax Continued) max-requests quiet period Page Figure 6-3.Example of 802.1x (Port-Access)Authentication Page 802.1x Open VLAN Mode 1st Priority: 2nd Priority: Unauthorized-Client Table 6-1.802.1x Open VLAN Mode Options 802.1x Per-PortConfiguration Port Response Note: Page Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1x Devices Note on Blocking a Non- 802.1x Device control authorized auto authorized Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Figure 6-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1x Configuration, Statistics, and Counters supplicant Figure 6-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 6-1.Open VLAN Mode Status Figure 6-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode Connecting port-access supplicant statistics [e] port-list How RADIUS/802.1x Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 6-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1x Operation Table 6-2.802.1x Operating Messages Page Configuring and Monitoring Port Security Basic Operation Default Port Security Operation Intruder Protection Authorized (MAC) Addresses: Blocking Unauthorized Traffic Figure 7-1.Example of How Port Security Controls Access Trunk Group Exclusion Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Web: Displaying and Configuring Port Security Features Security Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 7-9.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 7-10.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 7-11.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 7-14.Example of Port Status Screen After Alert Flags Reset From the CLI search-text ffi security Operating Notes for Port Security Page Page Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration 7.IP Authorized Managers Figure 8-1.Example of How To Add an Authorized Manager Entry Figure 8-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Page Web: Configuring IP Authorized Managers Building IP Masks Figure 8-4.Analysis of IP Mask for Single-StationEntries Page Figure 8-5.Analysis of IP Mask for Multiple-StationEntries Modem and Direct Console Access: Duplicate IP Addresses: Web Proxy Servers: Page Page Numerics