HP 4100gl Table

Getting Started

Overview of Access Security Features

Allows access to the switch by a networked device having an IP address previously configured in the switch as "authorized".

HP recommends that you use local passwords together with the switch’s other security features to provide a more comprehensive security fabric than if you use only the local password option. Table 1 lists these features with the security coverage they provide.

Table 1.	Management Access Security Protection

	Security Feature	Offers Protection Against Unauthorized Client Access to					Offers Protection
			Switch Management Features				Against
		Connection	Telnet	SNMP	Web	SSH	Unauthorized Client
		Connection	Telnet	SNMP	Web	SSH	Access to the
				(Net Mgmt)	Browser	Client	Access to the
				(Net Mgmt)	Browser	Client	Network
							Network

Local Manager and Operator		PtP:	Yes	No	Yes	Yes	No
Usernames and Passwords*		Remote:	Yes	No	Yes	Yes	No
		Remote:	Yes	No	Yes	Yes	No

TACACS+*		PtP:	Yes	No	No	Yes	No
		Remote:	Yes	No	No	Yes	No

RADIUS*		PtP:	Yes	No	No	Yes	No
		Remote:	Yes	No	No	Yes	No

SSH		Ptp:	Yes	No	No	Yes	No
		Remote:	Yes	No	No	Yes	No

SSL		PtP:	No	No	Yes	No	No

		Remote:	No	No	Yes	No	No

Port-Based Access Control (802.1x)		PtP:	Yes	Yes	Yes	Yes	Yes
		Remote:	No	No	No	No	No

Port Security (MAC address)		PtP:	Yes	Yes	Yes	Yes	Yes
		Remote:	Yes	Yes	Yes	Yes	Yes

Authorized IP Managers		PtP:	Yes	Yes	Yes	Yes	No
		Remote:	Yes	Yes	Yes	Yes	No

*Protection for serial port access includes the local Manager/Operator, TACACS+, and RADIUS options (direct connect or modem access).

There are two security areas to protect: access to the switch management features and access to the network through the switch. The above table shows the type of protection each switch security feature offers.

The Product Documentation CD-ROMshipped with the switch includes a copy of this guide. You can also download the latest copy from the HP Procurve website. (Refer to “Getting Documentation From the Web”, below.)

xiii

Contents

Page Page HP Procurve Series 4100GL Switches Page Getting Started 1 Configuring Username and Password Security 2 TACACS+ Authentication 3 RADIUS Authentication and Accounting 4 Configuring Secure Shell (SSH) 5 Configuring Secure Socket Layer (SSL) 6 Configuring Port-BasedAccess Control (802.1x) 7 Configuring and Monitoring Port Security 8 Using Authorized IP Managers Page Page Getting Started Introduction Overview of Access Security Features Table Command Syntax Conventions copy tftp Simulating Display Output hostname Figure 1. Example of a Figure Showing a Simulated Screen Related Publications Page Getting Documentation From the Web 2.Click on technical support manuals Sources for More Information http://www.hp.com/go/hpprocurve Need Only a Quick Start IP Addressing setup 8.Run Setup Page Configuring Username and Password Security Note Caution Inactivity Time Configuring Local Password Security Figure 1-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Configuring Manager and Operator Passwords Figure 1-2.Example of Configuring Manager and Operator Passwords Figure 1-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface TACACS+ Authentication A3 or A2 or Figure 2-1.Example of TACACS+ Operation Notes Regarding Software Release G.05 Terminology Used in TACACS Applications: NAS (Network Access Server): TACACS+ Server: Authentication: General System Requirements Notes General Authentication Setup Procedure Note on Privilege Levels ping write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Figure 2-2.Example Listing of the Switch’s Authentication Configuration paris-1 show tacacs Figure 2-3.Example of the Switch’s TACACS+ Configuration Listing Page Table 2-1.AAA Authentication Parameters Table 2-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Access Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 2-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key “Using the Encryption Key” on page How Authentication Operates Figure 2-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication and Accounting Authentication Host: See RADIUS Server RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: RADIUS Server: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Table 3-1.Preparation for Configuring RADIUS on the Switch Figure 3-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Local Authentication Process Access When Using RADIUS Configuring RADIUS Accounting Network accounting: Exec accounting: System accounting: Page Page Exec: exec System: system system ■Start-Stop: start-stop stop-only Figure 3-8.Example of Configuring Accounting Types Updates: Suppress: Syntax:[no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting [no] aaa accounting suppress null-usernameDisablesaccounting for unknown Viewing RADIUS Statistics show radius Figure 3-11.RADIUS Server Information From the Show Radius Host Command Page Figure 3-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 3-13.Example of RADIUS Authentication Information from a Specific Server Figure 3-14.Listing the Accounting Configuration in the Switch Figure 3-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 3-17.Search Order for Accessing a RADIUS Server Figure 3-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 4-1.Client Public Key Authentication Model http: www.openssh.com Figure 4-2.Switch/User Authentication SSH Server: Key Pair: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication SSH Options Page login public key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page Page Note on Public Keys smith@fellow fingerprint clear crypto Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http:// www.openssl.com Server Certificate authentication with User Password Figure 5-1.Switch/User Authentication SSL Server: Self-Signed Certificate: Root Certificate: Prerequisite for Using SSL Steps for Configuring and Using SSL for Page Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL setup Page Configuring Port-BasedAccess Control (802.1x) Overview Page Authenticating One Switch to Another. 802.1x authentication also Figure 6-1.Example of an 802.1x Application Accounting How 802.1x Operates Figure 6-2.Example of Supplicant Operation Authorized-Client VLAN: Authentication Server: CHAP (MD5): Client: EAP EAPOL : Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1x cannot be run together and LACP General Setup Procedure for Port-BasedAccess Control (802.1x) eap-radius chap-radius radius host Page Configuring Switch Ports as Authenticators Page (Syntax Continued) max-requests quiet period Page Figure 6-3.Example of 802.1x (Port-Access)Authentication Page 802.1x Open VLAN Mode 1st Priority: 2nd Priority: Unauthorized-Client Table 6-1.802.1x Open VLAN Mode Options 802.1x Per-PortConfiguration Port Response Note: Page Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1x Devices Note on Blocking a Non- 802.1x Device control authorized auto authorized Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Figure 6-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1x Configuration, Statistics, and Counters supplicant Figure 6-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 6-1.Open VLAN Mode Status Figure 6-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode Connecting port-access supplicant statistics [e] port-list How RADIUS/802.1x Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 6-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1x Operation Table 6-2.802.1x Operating Messages Page Configuring and Monitoring Port Security Basic Operation Default Port Security Operation Intruder Protection Authorized (MAC) Addresses: Blocking Unauthorized Traffic Figure 7-1.Example of How Port Security Controls Access Trunk Group Exclusion Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Web: Displaying and Configuring Port Security Features Security Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 7-9.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 7-10.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 7-11.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 7-14.Example of Port Status Screen After Alert Flags Reset From the CLI search-text ffi security Operating Notes for Port Security Page Page Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration 7.IP Authorized Managers Figure 8-1.Example of How To Add an Authorized Manager Entry Figure 8-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Page Web: Configuring IP Authorized Managers Building IP Masks Figure 8-4.Analysis of IP Mask for Single-StationEntries Page Figure 8-5.Analysis of IP Mask for Multiple-StationEntries Modem and Direct Console Access: Duplicate IP Addresses: Web Proxy Servers: Page Page Numerics