HP 4100gl 149

Configuring Port-Based Access Control (802.1x)

Configuring Switch Ports as 802.1x Authenticators

	1. Enable 802.1x Authentication on Selected Ports
	This task configures the individual ports you want to operate as 802.1x
	authenticators for point-to-point links to 802.1x-aware clients or switches.
	(Actual 802.1x operation does not commence until you perform step 5 on page
	6-12to activate 802.1x authentication on the switch.)

Note	When you enable 802.1x authentication on a port, the switch automatically disables
	LACP on that port. However, if the port is already operating in an LACP trunk, you
	must remove the port from the trunk before you can configure it for 802.1x authen-
	tication.
	Syntax: aaa port-access authenticator < port-list>
	Syntax: aaa port-access authenticator < port-list>
	Enables specified ports to operate as 802.1x authenti
	cators with current per- port authenticator configura
	tion. To activate configured 802.1x operation, you
	must enable 802.1x authentication. Refer to "5. Enable
	802.1x Authentication on the switch" on page 6-12.
	[control < authorized auto unauthorized >]
	Controls authentication mode on the specified port:
	auto (the default): The device connected to the port must
	support 802.1x authentication and provide valid
	credentials in order to get network access. (You
	have the option of using the Open VLAN mode to
	provide a path for clients without 802.1x
	supplicant software to download this software and
	begin the authentication process. Refer to “802.1x
	Open VLAN Mode” on page 6-20.)
	authorized: Also termed Force Authorized. Grants access
	to any device connected to the port. In this case, the
	device does not have to provide 802.1x credentials
	or support 802.1x authentication. (However, you
	can still configure console, Telnet, or SSH security
	on the port.)
	unauthorized: Also termed Force Unauthorized. Do not
	grant access to the network, regardless of whether
	the device provides the correct credentials and has
	802.1x support. In this state, the port blocks access
	to any connected device.

6-15

Contents

Page Page HP Procurve Series 4100GL Switches Page Getting Started 1 Configuring Username and Password Security 2 TACACS+ Authentication 3 RADIUS Authentication and Accounting 4 Configuring Secure Shell (SSH) 5 Configuring Secure Socket Layer (SSL) 6 Configuring Port-BasedAccess Control (802.1x) 7 Configuring and Monitoring Port Security 8 Using Authorized IP Managers Page Page Getting Started Introduction Overview of Access Security Features Table Command Syntax Conventions copy tftp Simulating Display Output hostname Figure 1. Example of a Figure Showing a Simulated Screen Related Publications Page Getting Documentation From the Web 2.Click on technical support manuals Sources for More Information http://www.hp.com/go/hpprocurve Need Only a Quick Start IP Addressing setup 8.Run Setup Page Configuring Username and Password Security Note Caution Inactivity Time Configuring Local Password Security Figure 1-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Configuring Manager and Operator Passwords Figure 1-2.Example of Configuring Manager and Operator Passwords Figure 1-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface TACACS+ Authentication A3 or A2 or Figure 2-1.Example of TACACS+ Operation Notes Regarding Software Release G.05 Terminology Used in TACACS Applications: NAS (Network Access Server): TACACS+ Server: Authentication: General System Requirements Notes General Authentication Setup Procedure Note on Privilege Levels ping write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Figure 2-2.Example Listing of the Switch’s Authentication Configuration paris-1 show tacacs Figure 2-3.Example of the Switch’s TACACS+ Configuration Listing Page Table 2-1.AAA Authentication Parameters Table 2-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Access Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 2-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key “Using the Encryption Key” on page How Authentication Operates Figure 2-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication and Accounting Authentication Host: See RADIUS Server RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: RADIUS Server: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Table 3-1.Preparation for Configuring RADIUS on the Switch Figure 3-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Local Authentication Process Access When Using RADIUS Configuring RADIUS Accounting Network accounting: Exec accounting: System accounting: Page Page Exec: exec System: system system ■Start-Stop: start-stop stop-only Figure 3-8.Example of Configuring Accounting Types Updates: Suppress: Syntax:[no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting [no] aaa accounting suppress null-usernameDisablesaccounting for unknown Viewing RADIUS Statistics show radius Figure 3-11.RADIUS Server Information From the Show Radius Host Command Page Figure 3-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 3-13.Example of RADIUS Authentication Information from a Specific Server Figure 3-14.Listing the Accounting Configuration in the Switch Figure 3-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 3-17.Search Order for Accessing a RADIUS Server Figure 3-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 4-1.Client Public Key Authentication Model http: www.openssh.com Figure 4-2.Switch/User Authentication SSH Server: Key Pair: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication SSH Options Page login public key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page Page Note on Public Keys smith@fellow fingerprint clear crypto Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http:// www.openssl.com Server Certificate authentication with User Password Figure 5-1.Switch/User Authentication SSL Server: Self-Signed Certificate: Root Certificate: Prerequisite for Using SSL Steps for Configuring and Using SSL for Page Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL setup Page Configuring Port-BasedAccess Control (802.1x) Overview Page Authenticating One Switch to Another. 802.1x authentication also Figure 6-1.Example of an 802.1x Application Accounting How 802.1x Operates Figure 6-2.Example of Supplicant Operation Authorized-Client VLAN: Authentication Server: CHAP (MD5): Client: EAP EAPOL : Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1x cannot be run together and LACP General Setup Procedure for Port-BasedAccess Control (802.1x) eap-radius chap-radius radius host Page Configuring Switch Ports as Authenticators Page (Syntax Continued) max-requests quiet period Page Figure 6-3.Example of 802.1x (Port-Access)Authentication Page 802.1x Open VLAN Mode 1st Priority: 2nd Priority: Unauthorized-Client Table 6-1.802.1x Open VLAN Mode Options 802.1x Per-PortConfiguration Port Response Note: Page Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1x Devices Note on Blocking a Non- 802.1x Device control authorized auto authorized Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Figure 6-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1x Configuration, Statistics, and Counters supplicant Figure 6-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 6-1.Open VLAN Mode Status Figure 6-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode Connecting port-access supplicant statistics [e] port-list How RADIUS/802.1x Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 6-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1x Operation Table 6-2.802.1x Operating Messages Page Configuring and Monitoring Port Security Basic Operation Default Port Security Operation Intruder Protection Authorized (MAC) Addresses: Blocking Unauthorized Traffic Figure 7-1.Example of How Port Security Controls Access Trunk Group Exclusion Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Web: Displaying and Configuring Port Security Features Security Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 7-9.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 7-10.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 7-11.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 7-14.Example of Port Status Screen After Alert Flags Reset From the CLI search-text ffi security Operating Notes for Port Security Page Page Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration 7.IP Authorized Managers Figure 8-1.Example of How To Add an Authorized Manager Entry Figure 8-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Page Web: Configuring IP Authorized Managers Building IP Masks Figure 8-4.Analysis of IP Mask for Single-StationEntries Page Figure 8-5.Analysis of IP Mask for Multiple-StationEntries Modem and Direct Console Access: Duplicate IP Addresses: Web Proxy Servers: Page Page Numerics