Terminology | HP 4100gl instruction

N o t e

Configuring Port-Based Access Control (802.1x)

Terminology

•A "failure" response continues the block on port B5 and causes port A1 to wait for the "held-time" period before trying again to achieve authentication through port B5.

You can configure a switch port to operate as both a supplicant and an authenticator at the same time.

Terminology

802.1x-Aware:Refers to a device that is running either 802.1x authenticator software or 802.1x client software and is capable of interacting with other devices on the basis of the IEEE 802.1x standard.

Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authen- ticated clients with network services that are not available on either the port’s statically configured VLAN memberships or any VLAN member- ships that may be assigned during the RADIUS authentication process. While an 802.1x port is a member of this VLAN, the port is untagged. When the client connection terminates, the port drops its membership in this VLAN.

Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of a Series 4100GL switch running 802.1x, this is a RADIUS server (unless local authentication is used, in which case the switch performs this function using its own username and password for authen- ticating a supplicant).

Authenticator: In HP Procurve switch applications, a device such as a Series 4100GL switch that requires a supplicant to provide the proper credentials (username and password) before being allowed access to the network.

CHAP (MD5): Challenge Handshake Authentication Protocol.

Client: In this application, an end-node device such as a management station, workstation, or mobile PC linked to the switch through a point-to-point LAN link.

6-7

Image 141

HP 4100gl manual Terminology

Contents

Access security guide Hp procurve Series 4100gl switches Page Access Security Guide HP Procurve Series 4100GL Switches Publication Number Contents Configuring the Switch for Radius Authentication Controlling Web Browser Interface Access When When Using Radius Authentication Controlling Web Browser Interface Access Further Information on SSH Client Public-Key Authentication Configuring Switch Ports To Operate As Supplicants for General Setup Procedure for802.1x Connections to Other Switches Operating Rules for Authorized-Client Port Security Command Options and Operation How RADIUS/802.1x Authentication Affects Vlan OperationWeb Displaying and Configuring Port Security Features Resetting Alert Flags Operating Notes for Port Security Defining Authorized Management Stations Page Getting Started Contents Overview of Access Security Features IntroductionGetting Started Xiii Command Syntax Conventions Command PromptsSimulating Display Output Screen Simulations Related Publications Getting Started Click on technical support Getting Documentation From the Web Sources for More Information Run Setup To Set Up and Install the Switch in Your NetworkNeed Only a Quick Start? Main Menu of the Menu interface, selectPage Configuring Username and Password Security Feature Default Menu Configuring Username and Password SecurityOverview Level Actions Permitted Passwords are case-sensitive Menu Setting Passwords Configuring Local Password SecurityTo set a new password Console Passwords Continue Deletion of password protection? No CLI Setting Passwords and UsernamesConfiguring Manager and Operator Passwords Commands Used in This Section Click on Device Passwords Web Setting Passwords and UsernamesClick on the Security tab Enter Using TACACS+ Authentication Messages Operating Notes TACACS+ Authentication Example of TACACS+ Operation TACACS+ Authentication TACACS+ Authentication Terminology Used in Tacacs Applications General System Requirements General Authentication Setup Procedure Additional features that the application offers Result in Operator read-only access. Thus, when configuringAlways used as the secondary access control method Determine the following Telnet CLI Commands Described in this Section Configuring TACACS+ on the SwitchCommand Before You Begin This example shows the default authentication configuration Viewing the Switch’s Current Authentication Configuration Configuring the Switch’s Authentication Methods Name Default Range Function AAA Authentication ParametersAuthentication for the access being configured is local Method/privilege path. Available only if the primary method Login Primary to Local authentication Primary/Secondary Authentication Table HPswitchconfig# aaa authentication num-attempts TACACS+ server Configuring the Switch’s TACACS+ Server Access Syntax tacacs-server host ip-addr key key-string None Name Default Range None null Timeout 1 To configure north01 as a per-server encryption key HPswitchconfig# no tacacs-server host How Authentication Operates General Authentication Process Using a TACACS+ ServerChanges without executing write mem TACACS+ Authentication Authentication Local Authentication Process Using the Encryption Key HPswitchconfig# tacacs-server key north40campus Messages Related to TACACS+ Operation Tacacs-server configurationOperating Notes CLI Message Meaning Rized persons Controlling Web Browser Interface Access When Using Radius Radius Authentication and Accounting Radius Authentication and Accounting Port-Access Terminology Switch Operating Rules for Radius Preparation for Configuring Radius on the Switch General Radius Setup Procedure Configuring the Switch for Radius Authentication Outline of the Steps for Configuring Radius AuthenticationRadius Authentication Commands Configure the global Radius parameters Used on the specified Radius server. Default nullRadius server documentation Server IP address Local none Authentication Process on Example Configuration for Radius Authentication Configuring Radius Accounting instead of continuing here Configure the Switch To Access a Radius Server Radius Authentication and Accounting Key global-key-string Configure the Switch’s Global Radius Parameters To an authentication request before counting the attempt as Listings of Global Radius Parameters Configured In Figure Local Authentication Process Word pair for the level you want to enter Configuring Radius Accounting Radius Accounting CommandsOn page 3-5 before continuing here Operating Rules for Radius Accounting Steps for Configuring Radius Accounting Configure the Switch To Access a Radius Server Radius Authentication and Accounting Start-Stop Example of Configuring Accounting Types Update period General Radius Statistics Viewing Radius Statistics PendingRequests Term Definition Radius Authentication Statistics Radius Accounting Statistics 14. Listing the Accounting Configuration in the Switch 17. Search Order for Accessing a Radius Server Changing RADIUS-Server Access Order 18. Example of New Radius Server Search Order Message Meaning Messages Related to Radius OperationPage Configuring the Switch for SSH Operation Configuring Secure Shell SSH Configuring Secure Shell SSH Client Public Key Authentication Model Use a key to authenticate itself to the switch 3DES 168-bitDES 56-bit Prerequisite for Using SSH SSH Options Public Key Formats Manager Ssh enable local Switch Primary SSH Authenticate Primary SwitchEnable Ssh enable tacacs Ssh enable radius Configuring Secure Shell SSH General Operating Rules and Notes SSH-Related Commands in This Section Configuring the Switch for SSH Operation Example of Configuring Local Passwords Generating the Switch’s Public and Private Key Pair To the switch using the earlier pair CLI kill commandPair automatically disables SSH Providing the Switch’s Public Key to Clients For example, to generate and display a new keyOperation Example of a Public Key Generated by the Switch Inserted Bit Exponent Modulus Switch’s Public and Private Key Pair on To enable SSH on the switch On the switch by appearing to be you Version of SSH to accept connections from. default 1-or-2 Option a Configuring SSH Access for Password-Only SSH Configuring the Switch for SSH Authentication U t i o n Configures 14 shows how to check the results of the above commands Use an SSH Client To Access the Switch Further Information on SSH Client Public-Key Authentication 15. Example of a Client Public Key Ascii Property Supported Comments Value Show crypto client-public-key babble fingerprint Deletes the client-public-key file from the switch 00000K Peer unreachable Messages Related to SSH Operation Key for the switch Comments on certificate fields Assigning a Local Login Operator Configuring Secure Socket Layer SSL Server Certificate authentication with User Password RC4 40-bit, 128-bit 3DES 168-bit, 112 Effective General steps for configuring ssl include Client Preparation Prerequisite for Using SSL Provided with your browser General Operating Rules and Notes Configuring the Switch for SSL Operation Assigning a Local Login Operator and Enable ManagerPasswordSSL-Related CLI Commands in This Section Security Tab Password Button Particular switch/client session, and then discarded Generating the Switch’s Server Host CertificateVerified unequivocally Earlier certificate CLI CLI commands used to generate a Server Host Certificate Certificate Field Descriptions For example, to generate a key and a new host certificateField Name Description Host-cert command CLI Command to view host certificatesCan resume SSL operation For example, to display the new server host certificate Select the Generate Certificate button Installed certificateIii Select Self signed certificate in the type box New key then just select current from the list Configuring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Certificate Request Certificate Request Reply T e Execute no web-management ssl Zeroize the switch’s host certificate or certificate key . Enable SLL Port number Selection Error During Possible Cause Common Errors in SSL setupPage General Setup Procedure for Port-Based Access Control General Operating Rules and Notes -9Messages Related to 802.1x Operation -47 General Features Why Use Port-Based Access Control?Refer to Radius Authentication and Accounting on 802.1x on the Series 4100GL switches includes the following Configuring Port-Based Access Control Authenticating One Switch to Another .1x authentication also How 802.1x Operates Authenticator Operation Example of Supplicant Operation Switch-Port Supplicant Operation Terminology 802.1x standard General Operating Rules and Notes Configuring Port-Based Access Control Do These Steps Before You Configure 802.1x Operation General Setup Procedure for Port-Based Access Control Authenticators operate as expected Overview Configuring 802.1x Authentication on Switch Configuring Port-Based Access Control 802.1x Authentication Commands Configuring Switch Ports as Authenticators To activate 802.1x authentication on the switch Enable 802.1x Authentication on Selected Ports Tx-period 0 Clears authenticator statistics counters Local Configure the 802.1x Authentication MethodEap-radius Chap-radius Enter the Radius Host IP Addresses Enable 802.1x Authentication on the Switch 802.1x-Related Show Commands Radius server configuration 802.1x Open Vlan ModeIntroduction Tagged Vlan as the Unauthorized-Client Vlan Use Models for 802.1x Open Vlan Modes Port as a static, tagged member of the VLAN, membership 802.1x Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Before you configure the 802.1x Open Vlan mode on a port Setting Up and Configuring 802.1x Open Vlan Mode Mised by an unauthorized client Activate authentication on the switch Port-Security To Allow Only 802.1x Devices onVlan Operation HPswitchconfig# aaa authentication port-access eap-radius 802.1x Open Vlan Operating Notes Action none send-alarm send-disable Enables 802.1x authentication on the port 802.1x Authentication Commands 802.1x Supplicant Commands Specified ports Authenticator at the same time Enter secret password Repeat secret password Syntax aaa port-access supplicant ethernet port-list Max-start 1 Show Commands for Port-Access Authenticator Displaying 802.1x Configuration, Statistics, and Counters Viewing 802.1x Open Vlan Mode Status Page To the port Open Vlan Mode Status Configuring Port-Based Access Control Show Commands for Port-Access Supplicant Supplicant port detects a different authenticator deviceSwitch reboots How RADIUS/802.1x Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment 1x Operating Messages Messages Related to 802.1x OperationPage Basic Operation Blocking Unauthorized Traffic -3 Trunk Group Exclusion -4Retention of Static Addresses Basic Operation Configuring and Monitoring Port Security Blocking Unauthorized Traffic Security Trunk Group Exclusion Planning Port Security Port Security Commands Used in This Section Port Security Command Options OperationCommands Acquires and maintains authorized addresses Mode Port Security ParametersAddress address-limit integer Mac-address mac-addr Retention of Static Addresses Parameter DescriptionClear- clear-intrusion-flag Using the CLI To Display Port Security Settings Displaying Current Port Security Settings Configuring Port Security Configuring and Monitoring Port Security Example of Adding an Authorized Device to a Port Device’s MAC address. For example Command option removes unwanted devices MAC addresses fromRemoving a Device From the Authorized List for a Port. This Entry in the table on Remove 0c0090-123456 from the Authorized Address list To automatically become authorized Web Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert FlagsClick on Port Security Example of Multiple Intrusion Log Entries for the Same Port How the Intrusion Log Operates Operates as follows FlagsIt detects Intrusion flag 11. Example of the Intrusion Log Display Type I Intrusion log to display the Intrusion Log List intrusion log content Intrusion Alert on port A1 Event Log lists port security intrusions as 14. Example of Port Status Screen After Alert Flags Reset Operating Notes for Port Security Configuring and Monitoring Port Security Page Building IP Masks Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager Features Access Levels You can configureOptions Overview of IP Mask Operation Defining Authorized Management Stations Switch Configuration IP Authorized Managers Menu Viewing and Configuring IP Authorized ManagersBuilding IP Masks on From the console Main Menu, select Authorized IP Managers Commands Used in This Section CLI Viewing and Configuring Authorized IP Managers IP Mask Configuring IP Authorized Managers for the Switch Web Configuring IP Authorized Managers Address of the authorized manager you want to deleteClick on Authorized Addresses Building IP Masks Configuring One Station Per Authorized Manager IP EntryAuthorized 227 125 Manager IP Using Authorized IP Managers Building IP Masks 125, or 127 can access the switchAny value from 0 to IP Mask 255 249 Additional Examples for Authorizing Multiple Stations ResultsAuthorized Using Authorized IP Managers Page Index Index See port access control OpenSSH … 4-3,5-2 operating notes See SSH. proxy Web server … Quick start … SSL See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting Index Page 5990-3032