Example of TACACS+ Operation, TACACS+ Authentication | HP 4100gl

TACACS+ Authentication

Overview

Overview

Feature	Default	Menu	CLI	Web
view the switch’s authentication configuration	n/a	—	page	—
			2-10
view the switch’s TACACS+ server contact	n/a	—	page	—
configuration			2-10
configure the switch’s authentication methods	disabled	—	page	—
			2-11
configure the switch to contact TACACS+ server(s)	disabled	—	page	—
			2-15

TACACS+ authentication enables you to use a central server to allow or deny access to the Series 4100GL switches (and other TACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/password sets with associated privilege levels for use by individuals who have reason to access the switch from either the switch’s console port (local access) or Telnet (remote access).

	A3 or
	B3
	A2 or
Primary	B2
TACACS+
Server

The switch passes the login requests from terminals A and B to the TACACS+ server for authentication. The TACACS+ server determines whether to allow access to the switch and what privilege level to allow for a given access request.

		A4
		A1
	Series 4100GL switch	A	Terminal "A" Directly
	Series 4100GL switch	A	Accessing the Switch
	Configured for		Via Switch’s Console
	TACACS+ Operation		Port
B4	B
B1	B
B1
	Terminal "B" Remotely Accessing The Switch Via Telnet
Access Request			A1 - A4 : Path for Request from
			Terminal A (Through Console Port)

TACACS Server	B1 - B4: Path for Request from
Response	Terminal B (Through Telnet)

Figure 2-1. Example of TACACS+ Operation

TACACS+ in the Series 4100GL switches manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authen tication hierarchy consisting of (1) remote passwords assigned in a TACACS+

2-2

Image 30

HP 4100gl manual Example of TACACS+ Operation, TACACS+ Authentication

Contents

Access security guide Hp procurve Series 4100gl switches Page HP Procurve Series 4100GL Switches Access Security Guide Publication Number Contents Controlling Web Browser Interface Access When Configuring the Switch for Radius Authentication Controlling Web Browser Interface Access When Using Radius Authentication Further Information on SSH Client Public-Key Authentication 802.1x Connections to Other Switches General Setup Procedure forConfiguring Switch Ports To Operate As Supplicants for Operating Rules for Authorized-Client Web Displaying and Configuring Port Security Features How RADIUS/802.1x Authentication Affects Vlan OperationPort Security Command Options and Operation Resetting Alert Flags Operating Notes for Port Security Defining Authorized Management Stations Page Getting Started Contents Overview of Access Security Features IntroductionGetting Started Xiii Command Syntax Conventions Command PromptsSimulating Display Output Related Publications Screen Simulations Getting Started Getting Documentation From the Web Click on technical support Sources for More Information Need Only a Quick Start? To Set Up and Install the Switch in Your NetworkRun Setup Main Menu of the Menu interface, selectPage Configuring Username and Password Security Overview Configuring Username and Password SecurityFeature Default Menu Level Actions Permitted Passwords are case-sensitive To set a new password Configuring Local Password SecurityMenu Setting Passwords Console Passwords Configuring Manager and Operator Passwords CLI Setting Passwords and UsernamesContinue Deletion of password protection? No Commands Used in This Section Click on the Security tab Web Setting Passwords and UsernamesClick on Device Passwords Enter TACACS+ Authentication Using TACACS+ Authentication Messages Operating Notes TACACS+ Authentication Example of TACACS+ Operation TACACS+ Authentication Terminology Used in Tacacs Applications General System Requirements General Authentication Setup Procedure Always used as the secondary access control method Result in Operator read-only access. Thus, when configuringAdditional features that the application offers Determine the following Telnet Command Configuring TACACS+ on the SwitchCLI Commands Described in this Section Before You Begin Viewing the Switch’s Current Authentication Configuration This example shows the default authentication configuration Configuring the Switch’s Authentication Methods Authentication for the access being configured is local AAA Authentication ParametersName Default Range Function Method/privilege path. Available only if the primary method Primary/Secondary Authentication Table Login Primary to Local authentication HPswitchconfig# aaa authentication num-attempts Configuring the Switch’s TACACS+ Server Access TACACS+ server Syntax tacacs-server host ip-addr key key-string Name Default Range None Timeout 1 None null HPswitchconfig# no tacacs-server host To configure north01 as a per-server encryption key How Authentication Operates General Authentication Process Using a TACACS+ ServerChanges without executing write mem TACACS+ Authentication Local Authentication Process Authentication Using the Encryption Key HPswitchconfig# tacacs-server key north40campus Operating Notes Tacacs-server configurationMessages Related to TACACS+ Operation CLI Message Meaning Rized persons Radius Authentication and Accounting Controlling Web Browser Interface Access When Using Radius Port-Access Radius Authentication and Accounting Terminology Switch Operating Rules for Radius General Radius Setup Procedure Preparation for Configuring Radius on the Switch Configuring the Switch for Radius Authentication Outline of the Steps for Configuring Radius AuthenticationRadius Authentication Commands Radius server documentation Used on the specified Radius server. Default nullConfigure the global Radius parameters Server IP address Local none Example Configuration for Radius Authentication Authentication Process on Configure the Switch To Access a Radius Server Configuring Radius Accounting instead of continuing here Radius Authentication and Accounting Configure the Switch’s Global Radius Parameters Key global-key-string To an authentication request before counting the attempt as Local Authentication Process Listings of Global Radius Parameters Configured In Figure Word pair for the level you want to enter Configuring Radius Accounting Radius Accounting CommandsOn page 3-5 before continuing here Operating Rules for Radius Accounting Steps for Configuring Radius Accounting Configure the Switch To Access a Radius Server Radius Authentication and Accounting Example of Configuring Accounting Types Start-Stop Update period Viewing Radius Statistics General Radius Statistics Term Definition PendingRequests Radius Authentication Statistics 14. Listing the Accounting Configuration in the Switch Radius Accounting Statistics Changing RADIUS-Server Access Order 17. Search Order for Accessing a Radius Server 18. Example of New Radius Server Search Order Messages Related to Radius Operation Message MeaningPage Configuring Secure Shell SSH Configuring the Switch for SSH Operation Client Public Key Authentication Model Configuring Secure Shell SSH Use a key to authenticate itself to the switch 3DES 168-bitDES 56-bit Prerequisite for Using SSH Public Key Formats SSH Options Enable Ssh enable tacacs Switch Primary SSH Authenticate Primary SwitchManager Ssh enable local Ssh enable radius Configuring Secure Shell SSH General Operating Rules and Notes Configuring the Switch for SSH Operation SSH-Related Commands in This Section Generating the Switch’s Public and Private Key Pair Example of Configuring Local Passwords To the switch using the earlier pair CLI kill commandPair automatically disables SSH Providing the Switch’s Public Key to Clients For example, to generate and display a new keyOperation Example of a Public Key Generated by the Switch Inserted Bit Exponent Modulus Switch’s Public and Private Key Pair on To enable SSH on the switch Version of SSH to accept connections from. default 1-or-2 On the switch by appearing to be you Configuring the Switch for SSH Authentication Option a Configuring SSH Access for Password-Only SSH U t i o n Configures Use an SSH Client To Access the Switch 14 shows how to check the results of the above commands Further Information on SSH Client Public-Key Authentication 15. Example of a Client Public Key Property Supported Comments Value Ascii Show crypto client-public-key babble fingerprint Deletes the client-public-key file from the switch Messages Related to SSH Operation 00000K Peer unreachable Key for the switch Assigning a Local Login Operator Comments on certificate fields Server Certificate authentication with User Password Configuring Secure Socket Layer SSL 3DES 168-bit, 112 Effective RC4 40-bit, 128-bit Prerequisite for Using SSL General steps for configuring ssl include Client Preparation Provided with your browser General Operating Rules and Notes Configuring the Switch for SSL Operation Assigning a Local Login Operator and Enable ManagerPasswordSSL-Related CLI Commands in This Section Security Tab Password Button Verified unequivocally Generating the Switch’s Server Host CertificateParticular switch/client session, and then discarded Earlier certificate CLI commands used to generate a Server Host Certificate CLI Certificate Field Descriptions For example, to generate a key and a new host certificateField Name Description Can resume SSL operation CLI Command to view host certificatesHost-cert command For example, to display the new server host certificate Iii Select Self signed certificate in the type box Installed certificateSelect the Generate Certificate button New key then just select current from the list Configuring Secure Socket Layer SSL Web browser Interface showing current SSL Host Certificate Configuring Secure Socket Layer SSL Certificate Request Certificate Request Reply T e Zeroize the switch’s host certificate or certificate key . Execute no web-management ssl Enable SLL Port number Selection Common Errors in SSL setup Error During Possible CausePage General Setup Procedure for Port-Based Access Control General Operating Rules and Notes -9Messages Related to 802.1x Operation -47 Refer to Radius Authentication and Accounting on Why Use Port-Based Access Control?General Features 802.1x on the Series 4100GL switches includes the following Configuring Port-Based Access Control Authenticating One Switch to Another .1x authentication also Authenticator Operation How 802.1x Operates Switch-Port Supplicant Operation Example of Supplicant Operation Terminology 802.1x standard General Operating Rules and Notes Configuring Port-Based Access Control General Setup Procedure for Port-Based Access Control Do These Steps Before You Configure 802.1x Operation Overview Configuring 802.1x Authentication on Switch Authenticators operate as expected Configuring Port-Based Access Control Configuring Switch Ports as Authenticators 802.1x Authentication Commands Enable 802.1x Authentication on Selected Ports To activate 802.1x authentication on the switch Tx-period 0 Clears authenticator statistics counters Eap-radius Configure the 802.1x Authentication MethodLocal Chap-radius Enable 802.1x Authentication on the Switch Enter the Radius Host IP Addresses 802.1x-Related Show Commands Radius server configuration 802.1x Open Vlan ModeIntroduction Use Models for 802.1x Open Vlan Modes Tagged Vlan as the Unauthorized-Client Vlan Port as a static, tagged member of the VLAN, membership 802.1x Per-Port Configuration Port Response Condition Rule Multiple Authenticator Ports Using Setting Up and Configuring 802.1x Open Vlan Mode Before you configure the 802.1x Open Vlan mode on a port Mised by an unauthorized client Activate authentication on the switch Port-Security To Allow Only 802.1x Devices onVlan Operation HPswitchconfig# aaa authentication port-access eap-radius 802.1x Open Vlan Operating Notes Action none send-alarm send-disable Enables 802.1x authentication on the port 802.1x Authentication Commands 802.1x Supplicant Commands Authenticator at the same time Specified ports Syntax aaa port-access supplicant ethernet port-list Enter secret password Repeat secret password Max-start 1 Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Authenticator Viewing 802.1x Open Vlan Mode Status Page Open Vlan Mode Status To the port Configuring Port-Based Access Control Show Commands for Port-Access Supplicant Supplicant port detects a different authenticator deviceSwitch reboots How RADIUS/802.1x Authentication Affects Vlan Operation Example of an Active Vlan Configuration Otherwise, port A2 is not listed Assignment Messages Related to 802.1x Operation 1x Operating MessagesPage Basic Operation Blocking Unauthorized Traffic -3 Trunk Group Exclusion -4Retention of Static Addresses Configuring and Monitoring Port Security Basic Operation Blocking Unauthorized Traffic Trunk Group Exclusion Security Planning Port Security Commands Port Security Command Options OperationPort Security Commands Used in This Section Acquires and maintains authorized addresses Address address-limit integer Port Security ParametersMode Mac-address mac-addr Retention of Static Addresses Parameter DescriptionClear- clear-intrusion-flag Displaying Current Port Security Settings Using the CLI To Display Port Security Settings Configuring Port Security Configuring and Monitoring Port Security Example of Adding an Authorized Device to a Port Removing a Device From the Authorized List for a Port. This Command option removes unwanted devices MAC addresses fromDevice’s MAC address. For example Entry in the table on To automatically become authorized Remove 0c0090-123456 from the Authorized Address list Web Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert FlagsClick on Port Security How the Intrusion Log Operates Example of Multiple Intrusion Log Entries for the Same Port It detects FlagsOperates as follows Intrusion flag Type I Intrusion log to display the Intrusion Log 11. Example of the Intrusion Log Display List intrusion log content Intrusion Alert on port A1 14. Example of Port Status Screen After Alert Flags Reset Event Log lists port security intrusions as Operating Notes for Port Security Configuring and Monitoring Port Security Page Using Authorized IP Managers Building IP Masks Authorized IP Manager Features Using Authorized IP Managers Access Levels You can configureOptions Defining Authorized Management Stations Overview of IP Mask Operation Building IP Masks on Menu Viewing and Configuring IP Authorized ManagersSwitch Configuration IP Authorized Managers From the console Main Menu, select CLI Viewing and Configuring Authorized IP Managers Authorized IP Managers Commands Used in This Section Configuring IP Authorized Managers for the Switch IP Mask Web Configuring IP Authorized Managers Address of the authorized manager you want to deleteClick on Authorized Addresses Authorized 227 125 Configuring One Station Per Authorized Manager IP EntryBuilding IP Masks Manager IP Using Authorized IP Managers Any value from 0 to 125, or 127 can access the switchBuilding IP Masks IP Mask 255 249 Additional Examples for Authorizing Multiple Stations ResultsAuthorized Using Authorized IP Managers Page Index Index See port access control OpenSSH … 4-3,5-2 operating notes See SSH. proxy Web server … Quick start … SSL See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting Index Page 5990-3032