HP 4100gl 164

Configuring Port-Based Access Control (802.1x)

802.1x Open VLAN Mode

Inspecting 802.1x Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN Mode Status” on page 6-38.

802.1x Open VLAN Operating Notes

■Although you can configure Open VLAN mode the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended. Using the same VLAN for both purposes allows unauthenticated clients access to a VLAN intended only for authenticated clients, which poses a security breach.

■While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured

VLAN for which that port is configured as an untagged member. Note that the Menu interface will still display the port’s statically config-

ured VLAN.

■

■

An Unauthorized-Client VLAN should not be statically configured on any switch port that allows access to resources that must be protected from unauthenticated clients.

If a port is configured as a tagged member of a VLAN that is not used as an Unauthorized-Client, Authorized-Client, or RADIUS-assigned VLAN, then the client can access such VLANs only if it is capable of operating in a tagged VLAN environment. Otherwise, the client can access only the Unauthorized-Client VLAN (before authentication) and either the Authorized-Client or RADIUS-assigned VLAN after authentication. (In all three cases, membership will be untagged, regardless of any static configuration specifying tagged membership.) If there is no Authorized-Client or RADIUS-assigned VLAN, then an authenticated client can access only a statically configured, untagged VLAN on that port.

■

■

When a client’s authentication attempt on an Unauthorized-Client VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port.

During an authentication session on a port in 802.1x Open VLAN mode, if RADIUS specifies membership in an untagged VLAN, this assignment overrides port membership in the Authorized-Client VLAN. If there is no Authorized-Client VLAN configured, then the RADIUS assignment overrides any untagged VLAN for which the port is statically configured.

6-30

Contents

Page Page HP Procurve Series 4100GL Switches Page Getting Started 1 Configuring Username and Password Security 2 TACACS+ Authentication 3 RADIUS Authentication and Accounting 4 Configuring Secure Shell (SSH) 5 Configuring Secure Socket Layer (SSL) 6 Configuring Port-BasedAccess Control (802.1x) 7 Configuring and Monitoring Port Security 8 Using Authorized IP Managers Page Page Getting Started Introduction Overview of Access Security Features Table Command Syntax Conventions copy tftp Simulating Display Output hostname Figure 1. Example of a Figure Showing a Simulated Screen Related Publications Page Getting Documentation From the Web 2.Click on technical support manuals Sources for More Information http://www.hp.com/go/hpprocurve Need Only a Quick Start IP Addressing setup 8.Run Setup Page Configuring Username and Password Security Note Caution Inactivity Time Configuring Local Password Security Figure 1-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No Configuring Manager and Operator Passwords Figure 1-2.Example of Configuring Manager and Operator Passwords Figure 1-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface TACACS+ Authentication A3 or A2 or Figure 2-1.Example of TACACS+ Operation Notes Regarding Software Release G.05 Terminology Used in TACACS Applications: NAS (Network Access Server): TACACS+ Server: Authentication: General System Requirements Notes General Authentication Setup Procedure Note on Privilege Levels ping write memory Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Figure 2-2.Example Listing of the Switch’s Authentication Configuration paris-1 show tacacs Figure 2-3.Example of the Switch’s TACACS+ Configuration Listing Page Table 2-1.AAA Authentication Parameters Table 2-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Access Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 2-4.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key “Using the Encryption Key” on page How Authentication Operates Figure 2-6.Using a TACACS+ Server for Authentication Page Local Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication and Accounting Authentication Host: See RADIUS Server RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: RADIUS Server: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Table 3-1.Preparation for Configuring RADIUS on the Switch Figure 3-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Local Authentication Process Access When Using RADIUS Configuring RADIUS Accounting Network accounting: Exec accounting: System accounting: Page Page Exec: exec System: system system ■Start-Stop: start-stop stop-only Figure 3-8.Example of Configuring Accounting Types Updates: Suppress: Syntax:[no] aaa accounting update periodic < 1 .. 525600 > Sets the accounting [no] aaa accounting suppress null-usernameDisablesaccounting for unknown Viewing RADIUS Statistics show radius Figure 3-11.RADIUS Server Information From the Show Radius Host Command Page Figure 3-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 3-13.Example of RADIUS Authentication Information from a Specific Server Figure 3-14.Listing the Accounting Configuration in the Switch Figure 3-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 3-17.Search Order for Accessing a RADIUS Server Figure 3-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Page Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 4-1.Client Public Key Authentication Model http: www.openssh.com Figure 4-2.Switch/User Authentication SSH Server: Key Pair: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication SSH Options Page login public key erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication Page Page Note on Public Keys smith@fellow fingerprint clear crypto Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) http:// www.openssl.com Server Certificate authentication with User Password Figure 5-1.Switch/User Authentication SSL Server: Self-Signed Certificate: Root Certificate: Prerequisite for Using SSL Steps for Configuring and Using SSL for Page Page Configuring the Switch for SSL Page Page Page Page Page Page Page Page Page Page Page Page Page Common Errors in SSL setup Page Configuring Port-BasedAccess Control (802.1x) Overview Page Authenticating One Switch to Another. 802.1x authentication also Figure 6-1.Example of an 802.1x Application Accounting How 802.1x Operates Figure 6-2.Example of Supplicant Operation Authorized-Client VLAN: Authentication Server: CHAP (MD5): Client: EAP EAPOL : Friendly Client: MD5: PVID (Port VID): Page Error configuring port X: LACP and 802.1x cannot be run together and LACP General Setup Procedure for Port-BasedAccess Control (802.1x) eap-radius chap-radius radius host Page Configuring Switch Ports as Authenticators Page (Syntax Continued) max-requests quiet period Page Figure 6-3.Example of 802.1x (Port-Access)Authentication Page 802.1x Open VLAN Mode 1st Priority: 2nd Priority: Unauthorized-Client Table 6-1.802.1x Open VLAN Mode Options 802.1x Per-PortConfiguration Port Response Note: Page Condition Rule Page Page Page Page rad4all Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1x Devices Note on Blocking a Non- 802.1x Device control authorized auto authorized Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Figure 6-4.Example of Supplicant Operation Page identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1x Configuration, Statistics, and Counters supplicant Figure 6-5.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 6-1.Open VLAN Mode Status Figure 6-6.Example of Showing a VLAN with Ports Configured for Open VLAN Mode Connecting port-access supplicant statistics [e] port-list How RADIUS/802.1x Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 6-7.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1x Operation Table 6-2.802.1x Operating Messages Page Configuring and Monitoring Port Security Basic Operation Default Port Security Operation Intruder Protection Authorized (MAC) Addresses: Blocking Unauthorized Traffic Figure 7-1.Example of How Port Security Controls Access Trunk Group Exclusion Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Web: Displaying and Configuring Port Security Features Security Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 7-9.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation Figure 7-10.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 7-11.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 7-14.Example of Port Status Screen After Alert Flags Reset From the CLI search-text ffi security Operating Notes for Port Security Page Page Using Authorized IP Managers Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration 7.IP Authorized Managers Figure 8-1.Example of How To Add an Authorized Manager Entry Figure 8-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Page Web: Configuring IP Authorized Managers Building IP Masks Figure 8-4.Analysis of IP Mask for Single-StationEntries Page Figure 8-5.Analysis of IP Mask for Multiple-StationEntries Modem and Direct Console Access: Duplicate IP Addresses: Web Proxy Servers: Page Page Numerics