Access security guide Hp procurve Series 4100gl switches
Page
Access Security Guide
HP Procurve Series 4100GL Switches
Publication Number
Contents
Configuring the Switch for Radius Authentication
Controlling Web Browser Interface Access When
When Using Radius Authentication
Controlling Web Browser Interface Access
Further Information on SSH Client Public-Key Authentication
Operating Rules for Authorized-Client
General Setup Procedure for
Configuring Switch Ports To Operate As Supplicants for
802.1x Connections to Other Switches
Resetting Alert Flags Operating Notes for Port Security
How RADIUS/802.1x Authentication Affects Vlan Operation
Port Security Command Options and Operation
Web Displaying and Configuring Port Security Features
Defining Authorized Management Stations
Page
Getting Started Contents
Introduction
Overview of Access Security Features
Getting Started
Xiii
Command Prompts
Command Syntax Conventions
Simulating Display Output
Screen Simulations
Related Publications
Getting Started
Click on technical support
Getting Documentation From the Web
Sources for More Information
Main Menu of the Menu interface, select
To Set Up and Install the Switch in Your Network
Run Setup
Need Only a Quick Start?
Page
Configuring Username and Password Security
Level Actions Permitted
Configuring Username and Password Security
Feature Default Menu
Overview
Passwords are case-sensitive
Console Passwords
Configuring Local Password Security
Menu Setting Passwords
To set a new password
Commands Used in This Section
CLI Setting Passwords and Usernames
Continue Deletion of password protection? No
Configuring Manager and Operator Passwords
Enter
Web Setting Passwords and Usernames
Click on Device Passwords
Click on the Security tab
Using TACACS+ Authentication Messages Operating Notes
TACACS+ Authentication
Example of TACACS+ Operation
TACACS+ Authentication
TACACS+ Authentication
Terminology Used in Tacacs Applications
General System Requirements
General Authentication Setup Procedure
Determine the following
Result in Operator read-only access. Thus, when configuring
Additional features that the application offers
Always used as the secondary access control method
Telnet
Before You Begin
Configuring TACACS+ on the Switch
CLI Commands Described in this Section
Command
This example shows the default authentication configuration
Viewing the Switch’s Current Authentication Configuration
Configuring the Switch’s Authentication Methods
Method/privilege path. Available only if the primary method
AAA Authentication Parameters
Name Default Range Function
Authentication for the access being configured is local
Login Primary to Local authentication
Primary/Secondary Authentication Table
HPswitchconfig# aaa authentication num-attempts
TACACS+ server
Configuring the Switch’s TACACS+ Server Access
Syntax tacacs-server host ip-addr key key-string
None
Name Default Range
None null
Timeout 1
To configure north01 as a per-server encryption key
HPswitchconfig# no tacacs-server host
General Authentication Process Using a TACACS+ Server
How Authentication Operates
Changes without executing write mem
TACACS+ Authentication
Authentication
Local Authentication Process
Using the Encryption Key
HPswitchconfig# tacacs-server key north40campus
CLI Message Meaning
Tacacs-server configuration
Messages Related to TACACS+ Operation
Operating Notes
Rized persons
Controlling Web Browser Interface Access When Using Radius
Radius Authentication and Accounting
Radius Authentication and Accounting
Port-Access
Terminology
Switch Operating Rules for Radius
Preparation for Configuring Radius on the Switch
General Radius Setup Procedure
Outline of the Steps for Configuring Radius Authentication
Configuring the Switch for Radius Authentication
Radius Authentication Commands
Server IP address
Used on the specified Radius server. Default null
Configure the global Radius parameters
Radius server documentation
Local none
Authentication Process on
Example Configuration for Radius Authentication
Configuring Radius Accounting instead of continuing here
Configure the Switch To Access a Radius Server
Radius Authentication and Accounting
Key global-key-string
Configure the Switch’s Global Radius Parameters
To an authentication request before counting the attempt as
Listings of Global Radius Parameters Configured In Figure
Local Authentication Process
Word pair for the level you want to enter
Radius Accounting Commands
Configuring Radius Accounting
On page 3-5 before continuing here
Operating Rules for Radius Accounting
Steps for Configuring Radius Accounting
Configure the Switch To Access a Radius Server
Radius Authentication and Accounting
Start-Stop
Example of Configuring Accounting Types
Update period
General Radius Statistics
Viewing Radius Statistics
PendingRequests
Term Definition
Radius Authentication Statistics
Radius Accounting Statistics
14. Listing the Accounting Configuration in the Switch
17. Search Order for Accessing a Radius Server
Changing RADIUS-Server Access Order
18. Example of New Radius Server Search Order
Message Meaning
Messages Related to Radius Operation
Page
Configuring the Switch for SSH Operation
Configuring Secure Shell SSH
Configuring Secure Shell SSH
Client Public Key Authentication Model
3DES 168-bit
Use a key to authenticate itself to the switch
DES 56-bit
Prerequisite for Using SSH
SSH Options
Public Key Formats
Ssh enable radius
Switch Primary SSH Authenticate Primary Switch
Manager Ssh enable local
Enable Ssh enable tacacs
Configuring Secure Shell SSH
General Operating Rules and Notes
SSH-Related Commands in This Section
Configuring the Switch for SSH Operation
Example of Configuring Local Passwords
Generating the Switch’s Public and Private Key Pair
CLI kill command
To the switch using the earlier pair
Pair automatically disables SSH
For example, to generate and display a new key
Providing the Switch’s Public Key to Clients
Operation
Example of a Public Key Generated by the Switch
Inserted Bit Exponent Modulus
Switch’s Public and Private Key Pair on
To enable SSH on the switch
On the switch by appearing to be you
Version of SSH to accept connections from. default 1-or-2
Option a Configuring SSH Access for Password-Only SSH
Configuring the Switch for SSH Authentication
U t i o n
Configures
14 shows how to check the results of the above commands
Use an SSH Client To Access the Switch
Further Information on SSH Client Public-Key Authentication
15. Example of a Client Public Key
Ascii
Property Supported Comments Value
Show crypto client-public-key babble fingerprint
Deletes the client-public-key file from the switch
00000K Peer unreachable
Messages Related to SSH Operation
Key for the switch
Comments on certificate fields
Assigning a Local Login Operator
Configuring Secure Socket Layer SSL
Server Certificate authentication with User Password
RC4 40-bit, 128-bit
3DES 168-bit, 112 Effective
General steps for configuring ssl include Client Preparation
Prerequisite for Using SSL
Provided with your browser
General Operating Rules and Notes
Assigning a Local Login Operator and Enable ManagerPassword
Configuring the Switch for SSL Operation
SSL-Related CLI Commands in This Section
Security Tab Password Button
Earlier certificate
Generating the Switch’s Server Host Certificate
Particular switch/client session, and then discarded
Verified unequivocally
CLI
CLI commands used to generate a Server Host Certificate
For example, to generate a key and a new host certificate
Certificate Field Descriptions
Field Name Description
For example, to display the new server host certificate
CLI Command to view host certificates
Host-cert command
Can resume SSL operation
New key then just select current from the list
Installed certificate
Select the Generate Certificate button
Iii Select Self signed certificate in the type box
Configuring Secure Socket Layer SSL
Web browser Interface showing current SSL Host Certificate
Configuring Secure Socket Layer SSL
Certificate Request Certificate Request Reply
T e
Execute no web-management ssl
Zeroize the switch’s host certificate or certificate key .
Enable SLL Port number Selection
Error During Possible Cause
Common Errors in SSL setup
Page
General Operating Rules and Notes -9
General Setup Procedure for Port-Based Access Control
Messages Related to 802.1x Operation -47
802.1x on the Series 4100GL switches includes the following
Why Use Port-Based Access Control?
General Features
Refer to Radius Authentication and Accounting on
Configuring Port-Based Access Control
Authenticating One Switch to Another .1x authentication also
How 802.1x Operates
Authenticator Operation
Example of Supplicant Operation
Switch-Port Supplicant Operation
Terminology
802.1x standard
General Operating Rules and Notes
Configuring Port-Based Access Control
Do These Steps Before You Configure 802.1x Operation
General Setup Procedure for Port-Based Access Control
Authenticators operate as expected
Overview Configuring 802.1x Authentication on Switch
Configuring Port-Based Access Control
802.1x Authentication Commands
Configuring Switch Ports as Authenticators
To activate 802.1x authentication on the switch
Enable 802.1x Authentication on Selected Ports
Tx-period 0
Clears authenticator statistics counters
Chap-radius
Configure the 802.1x Authentication Method
Local
Eap-radius
Enter the Radius Host IP Addresses
Enable 802.1x Authentication on the Switch
802.1x Open Vlan Mode
802.1x-Related Show Commands Radius server configuration
Introduction
Tagged Vlan as the Unauthorized-Client Vlan
Use Models for 802.1x Open Vlan Modes
Port as a static, tagged member of the VLAN, membership
802.1x Per-Port Configuration Port Response
Condition Rule
Multiple Authenticator Ports Using
Before you configure the 802.1x Open Vlan mode on a port
Setting Up and Configuring 802.1x Open Vlan Mode
Mised by an unauthorized client
Port-Security To Allow Only 802.1x Devices on
Activate authentication on the switch
Vlan Operation
HPswitchconfig# aaa authentication port-access eap-radius
802.1x Open Vlan Operating Notes
Action none send-alarm send-disable
Enables 802.1x authentication on the port
802.1x Authentication Commands 802.1x Supplicant Commands
Specified ports
Authenticator at the same time
Enter secret password Repeat secret password
Syntax aaa port-access supplicant ethernet port-list
Max-start 1
Show Commands for Port-Access Authenticator
Displaying 802.1x Configuration, Statistics, and Counters
Viewing 802.1x Open Vlan Mode Status
Page
To the port
Open Vlan Mode Status
Configuring Port-Based Access Control
Supplicant port detects a different authenticator device
Show Commands for Port-Access Supplicant
Switch reboots
How RADIUS/802.1x Authentication Affects Vlan Operation
Example of an Active Vlan Configuration
Otherwise, port A2 is not listed
Assignment
1x Operating Messages
Messages Related to 802.1x Operation
Page
Blocking Unauthorized Traffic -3 Trunk Group Exclusion -4
Basic Operation
Retention of Static Addresses
Basic Operation
Configuring and Monitoring Port Security
Blocking Unauthorized Traffic
Security
Trunk Group Exclusion
Planning Port Security
Acquires and maintains authorized addresses
Port Security Command Options Operation
Port Security Commands Used in This Section
Commands
Mac-address mac-addr
Port Security Parameters
Mode
Address address-limit integer
Parameter Description
Retention of Static Addresses
Clear- clear-intrusion-flag
Using the CLI To Display Port Security Settings
Displaying Current Port Security Settings
Configuring Port Security
Configuring and Monitoring Port Security
Example of Adding an Authorized Device to a Port
Entry in the table on
Command option removes unwanted devices MAC addresses from
Device’s MAC address. For example
Removing a Device From the Authorized List for a Port. This
Remove 0c0090-123456 from the Authorized Address list
To automatically become authorized
Reading Intrusion Alerts and Resetting Alert Flags
Web Displaying and Configuring Port Security Features
Click on Port Security
Example of Multiple Intrusion Log Entries for the Same Port
How the Intrusion Log Operates
Intrusion flag
Flags
Operates as follows
It detects
11. Example of the Intrusion Log Display
Type I Intrusion log to display the Intrusion Log
List intrusion log content
Intrusion Alert on port A1
Event Log lists port security intrusions as
14. Example of Port Status Screen After Alert Flags Reset
Operating Notes for Port Security
Configuring and Monitoring Port Security
Page
Building IP Masks
Using Authorized IP Managers
Using Authorized IP Managers
Authorized IP Manager Features
You can configure
Access Levels
Options
Overview of IP Mask Operation
Defining Authorized Management Stations
From the console Main Menu, select
Menu Viewing and Configuring IP Authorized Managers
Switch Configuration IP Authorized Managers
Building IP Masks on
Authorized IP Managers Commands Used in This Section
CLI Viewing and Configuring Authorized IP Managers
IP Mask
Configuring IP Authorized Managers for the Switch
Address of the authorized manager you want to delete
Web Configuring IP Authorized Managers
Click on Authorized Addresses
Manager IP
Configuring One Station Per Authorized Manager IP Entry
Building IP Masks
Authorized 227 125
Using Authorized IP Managers
IP Mask 255 249
125, or 127 can access the switch
Building IP Masks
Any value from 0 to
Results
Additional Examples for Authorizing Multiple Stations
Authorized
Using Authorized IP Managers
Page
Index
Index
See port access control OpenSSH … 4-3,5-2 operating notes
See SSH. proxy Web server … Quick start …
SSL
See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting
Index
Page
5990-3032