HP 4100gl 110

Configuring Secure Shell (SSH)

Further Information on SSH Client Public-Key Authentication

Syntax: clear crypto public-key

Deletes the client-public-key file from the switch.

Syntax: clear crypto public-key 3

Deletes the entry with an index of 3 from the client

	public-key file on the switch.
	Enabling Client Public-Key Authentication. After you TFTP a client-
	public-key file into the switch (described above), you can configure the switch
	to allow one of the following:
	■ If an SSH client’s public key matches the switch’s client-public-key
	file, allow that client access to the switch. If there is not a public-key
	match, then deny access to that client.
	■ If an SSH client’s public key does not have a match in the switch’s
	client-public-key file, allow the client access if the user can enter the
	switch’s login (Operator) password. (If the switch does not have an
	Operator password, then deny access to that client.
	Syntax: aaa authentication ssh login public-key none
	Allows SSH client access only if the switch detects a
	match between the client’s public key and an entry in
	the client-public-key file most recently copied into the
	switch.
	aaa authentication ssh login public-key local
	Allows SSH client access if there is a public key match
	(see above) or if the client’s user enters the switch’s
	login (Operator) password.
	With login public-key local configured, if the switch does not have an Operator
	level password, it blocks client public-key access to SSH clients whose private
	keys do not match a public key in the switch’s client-public-key file.

Caution	To enable client public-key authentication to block SSH clients whose public
	keys are not in the client-public-key file copied into the switch, you must
	configure the Login Secondary as none. Otherwise, the switch allows such
	clients to attempt access using the switch’s Operator password.

4-26

Contents

Page Page HP Procurve Series 4100GL Switches Page Getting Started 1 Configuring Username and Password Security 2 TACACS+ Authentication 3 RADIUS Authentication and Accounting 4 Configuring Secure Shell (SSH) 5 Configuring Secure Socket Layer (SSL) 6 Configuring Port-BasedAccess Control (802.1x) 7 Configuring and Monitoring Port Security 8 Using Authorized IP Managers Page Page Getting Started Introduction Overview of Access Security Features Table Command Syntax Conventions copy tftp Simulating Display Output hostname Figure 1. Example of a Figure Showing a Simulated Screen Related Publications Page Getting Documentation From the Web 2.Click on technical support manuals Sources for More Information http://www.hp.com/go/hpprocurve Need Only a Quick Start IP Addressing setup 8.Run Setup Page Configuring Username and Password Security Note Caution Inactivity Time Configuring Local Password Security Figure 1-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Configuring Manager and Operator Passwords Figure 1-2.Example of Configuring Manager and Operator Passwords Figure 1-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface TACACS+ Authentication A3 or A2 or Figure 2-1.Example of TACACS+ Operation Notes Regarding Software Release G.05 Terminology Used in TACACS Applications: NAS (Network Access Server): TACACS+ Server: Authentication: General System Requirements Notes General Authentication Setup Procedure Note on Privilege Levels ping write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Figure 2-2.Example Listing of the Switch’s Authentication Configuration paris-1 show tacacs Figure 2-3.Example of the Switch’s TACACS+ Configuration Listing Page Table 2-1.AAA Authentication Parameters Table 2-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Access Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 2-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key “Using the Encryption Key” on page How Authentication Operates Figure 2-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication and Accounting Authentication Host: See RADIUS Server RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: RADIUS Server: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Table 3-1.Preparation for Configuring RADIUS on the Switch Figure 3-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Local Authentication Process Access When Using RADIUS Configuring RADIUS Accounting Network accounting: Exec accounting: System accounting: Page Page Exec: exec System: system system ■Start-Stop: start-stop stop-only Figure 3-8.Example of Configuring Accounting Types Updates: Suppress: Syntax:[no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting [no] aaa accounting suppress null-usernameDisablesaccounting for unknown Viewing RADIUS Statistics show radius Figure 3-11.RADIUS Server Information From the Show Radius Host Command Page Figure 3-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 3-13.Example of RADIUS Authentication Information from a Specific Server Figure 3-14.Listing the Accounting Configuration in the Switch Figure 3-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 3-17.Search Order for Accessing a RADIUS Server Figure 3-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 4-1.Client Public Key Authentication Model http: www.openssh.com Figure 4-2.Switch/User Authentication SSH Server: Key Pair: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication SSH Options Page login public key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page Page Note on Public Keys smith@fellow fingerprint clear crypto Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http:// www.openssl.com Server Certificate authentication with User Password Figure 5-1.Switch/User Authentication SSL Server: Self-Signed Certificate: Root Certificate: Prerequisite for Using SSL Steps for Configuring and Using SSL for Page Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL setup Page Configuring Port-BasedAccess Control (802.1x) Overview Page Authenticating One Switch to Another. 802.1x authentication also Figure 6-1.Example of an 802.1x Application Accounting How 802.1x Operates Figure 6-2.Example of Supplicant Operation Authorized-Client VLAN: Authentication Server: CHAP (MD5): Client: EAP EAPOL : Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1x cannot be run together and LACP General Setup Procedure for Port-BasedAccess Control (802.1x) eap-radius chap-radius radius host Page Configuring Switch Ports as Authenticators Page (Syntax Continued) max-requests quiet period Page Figure 6-3.Example of 802.1x (Port-Access)Authentication Page 802.1x Open VLAN Mode 1st Priority: 2nd Priority: Unauthorized-Client Table 6-1.802.1x Open VLAN Mode Options 802.1x Per-PortConfiguration Port Response Note: Page Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1x Devices Note on Blocking a Non- 802.1x Device control authorized auto authorized Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Figure 6-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1x Configuration, Statistics, and Counters supplicant Figure 6-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 6-1.Open VLAN Mode Status Figure 6-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode Connecting port-access supplicant statistics [e] port-list How RADIUS/802.1x Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 6-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1x Operation Table 6-2.802.1x Operating Messages Page Configuring and Monitoring Port Security Basic Operation Default Port Security Operation Intruder Protection Authorized (MAC) Addresses: Blocking Unauthorized Traffic Figure 7-1.Example of How Port Security Controls Access Trunk Group Exclusion Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Web: Displaying and Configuring Port Security Features Security Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 7-9.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 7-10.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 7-11.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 7-14.Example of Port Status Screen After Alert Flags Reset From the CLI search-text ffi security Operating Notes for Port Security Page Page Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration 7.IP Authorized Managers Figure 8-1.Example of How To Add an Authorized Manager Entry Figure 8-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Page Web: Configuring IP Authorized Managers Building IP Masks Figure 8-4.Analysis of IP Mask for Single-StationEntries Page Figure 8-5.Analysis of IP Mask for Multiple-StationEntries Modem and Direct Console Access: Duplicate IP Addresses: Web Proxy Servers: Page Page Numerics