Access security guide Hp procurve Series 4100gl switches
Page
HP Procurve Series 4100GL Switches
Access Security Guide
Publication Number
Contents
Controlling Web Browser Interface Access When
Configuring the Switch for Radius Authentication
Controlling Web Browser Interface Access
When Using Radius Authentication
Further Information on SSH Client Public-Key Authentication
General Setup Procedure for
Configuring Switch Ports To Operate As Supplicants for
802.1x Connections to Other Switches
Operating Rules for Authorized-Client
How RADIUS/802.1x Authentication Affects Vlan Operation
Port Security Command Options and Operation
Web Displaying and Configuring Port Security Features
Resetting Alert Flags Operating Notes for Port Security
Defining Authorized Management Stations
Page
Getting Started Contents
Introduction
Overview of Access Security Features
Getting Started
Xiii
Command Prompts
Command Syntax Conventions
Simulating Display Output
Related Publications
Screen Simulations
Getting Started
Getting Documentation From the Web
Click on technical support
Sources for More Information
To Set Up and Install the Switch in Your Network
Run Setup
Need Only a Quick Start?
Main Menu of the Menu interface, select
Page
Configuring Username and Password Security
Configuring Username and Password Security
Feature Default Menu
Overview
Level Actions Permitted
Passwords are case-sensitive
Configuring Local Password Security
Menu Setting Passwords
To set a new password
Console Passwords
CLI Setting Passwords and Usernames
Continue Deletion of password protection? No
Configuring Manager and Operator Passwords
Commands Used in This Section
Web Setting Passwords and Usernames
Click on Device Passwords
Click on the Security tab
Enter
TACACS+ Authentication
Using TACACS+ Authentication Messages Operating Notes
TACACS+ Authentication
Example of TACACS+ Operation
TACACS+ Authentication
Terminology Used in Tacacs Applications
General System Requirements
General Authentication Setup Procedure
Result in Operator read-only access. Thus, when configuring
Additional features that the application offers
Always used as the secondary access control method
Determine the following
Telnet
Configuring TACACS+ on the Switch
CLI Commands Described in this Section
Command
Before You Begin
Viewing the Switch’s Current Authentication Configuration
This example shows the default authentication configuration
Configuring the Switch’s Authentication Methods
AAA Authentication Parameters
Name Default Range Function
Authentication for the access being configured is local
Method/privilege path. Available only if the primary method
Primary/Secondary Authentication Table
Login Primary to Local authentication
HPswitchconfig# aaa authentication num-attempts
Configuring the Switch’s TACACS+ Server Access
TACACS+ server
Syntax tacacs-server host ip-addr key key-string
Name Default Range
None
Timeout 1
None null
HPswitchconfig# no tacacs-server host
To configure north01 as a per-server encryption key
General Authentication Process Using a TACACS+ Server
How Authentication Operates
Changes without executing write mem
TACACS+ Authentication
Local Authentication Process
Authentication
Using the Encryption Key
HPswitchconfig# tacacs-server key north40campus
Tacacs-server configuration
Messages Related to TACACS+ Operation
Operating Notes
CLI Message Meaning
Rized persons
Radius Authentication and Accounting
Controlling Web Browser Interface Access When Using Radius
Port-Access
Radius Authentication and Accounting
Terminology
Switch Operating Rules for Radius
General Radius Setup Procedure
Preparation for Configuring Radius on the Switch
Outline of the Steps for Configuring Radius Authentication
Configuring the Switch for Radius Authentication
Radius Authentication Commands
Used on the specified Radius server. Default null
Configure the global Radius parameters
Radius server documentation
Server IP address
Local none
Example Configuration for Radius Authentication
Authentication Process on
Configure the Switch To Access a Radius Server
Configuring Radius Accounting instead of continuing here
Radius Authentication and Accounting
Configure the Switch’s Global Radius Parameters
Key global-key-string
To an authentication request before counting the attempt as
Local Authentication Process
Listings of Global Radius Parameters Configured In Figure
Word pair for the level you want to enter
Radius Accounting Commands
Configuring Radius Accounting
On page 3-5 before continuing here
Operating Rules for Radius Accounting
Steps for Configuring Radius Accounting
Configure the Switch To Access a Radius Server
Radius Authentication and Accounting
Example of Configuring Accounting Types
Start-Stop
Update period
Viewing Radius Statistics
General Radius Statistics
Term Definition
PendingRequests
Radius Authentication Statistics
14. Listing the Accounting Configuration in the Switch
Radius Accounting Statistics
Changing RADIUS-Server Access Order
17. Search Order for Accessing a Radius Server
18. Example of New Radius Server Search Order
Messages Related to Radius Operation
Message Meaning
Page
Configuring Secure Shell SSH
Configuring the Switch for SSH Operation
Client Public Key Authentication Model
Configuring Secure Shell SSH
3DES 168-bit
Use a key to authenticate itself to the switch
DES 56-bit
Prerequisite for Using SSH
Public Key Formats
SSH Options
Switch Primary SSH Authenticate Primary Switch
Manager Ssh enable local
Enable Ssh enable tacacs
Ssh enable radius
Configuring Secure Shell SSH
General Operating Rules and Notes
Configuring the Switch for SSH Operation
SSH-Related Commands in This Section
Generating the Switch’s Public and Private Key Pair
Example of Configuring Local Passwords
CLI kill command
To the switch using the earlier pair
Pair automatically disables SSH
For example, to generate and display a new key
Providing the Switch’s Public Key to Clients
Operation
Example of a Public Key Generated by the Switch
Inserted Bit Exponent Modulus
Switch’s Public and Private Key Pair on
To enable SSH on the switch
Version of SSH to accept connections from. default 1-or-2
On the switch by appearing to be you
Configuring the Switch for SSH Authentication
Option a Configuring SSH Access for Password-Only SSH
U t i o n
Configures
Use an SSH Client To Access the Switch
14 shows how to check the results of the above commands
Further Information on SSH Client Public-Key Authentication
15. Example of a Client Public Key
Property Supported Comments Value
Ascii
Show crypto client-public-key babble fingerprint
Deletes the client-public-key file from the switch
Messages Related to SSH Operation
00000K Peer unreachable
Key for the switch
Assigning a Local Login Operator
Comments on certificate fields
Server Certificate authentication with User Password
Configuring Secure Socket Layer SSL
3DES 168-bit, 112 Effective
RC4 40-bit, 128-bit
Prerequisite for Using SSL
General steps for configuring ssl include Client Preparation
Provided with your browser
General Operating Rules and Notes
Assigning a Local Login Operator and Enable ManagerPassword
Configuring the Switch for SSL Operation
SSL-Related CLI Commands in This Section
Security Tab Password Button
Generating the Switch’s Server Host Certificate
Particular switch/client session, and then discarded
Verified unequivocally
Earlier certificate
CLI commands used to generate a Server Host Certificate
CLI
For example, to generate a key and a new host certificate
Certificate Field Descriptions
Field Name Description
CLI Command to view host certificates
Host-cert command
Can resume SSL operation
For example, to display the new server host certificate
Installed certificate
Select the Generate Certificate button
Iii Select Self signed certificate in the type box
New key then just select current from the list
Configuring Secure Socket Layer SSL
Web browser Interface showing current SSL Host Certificate
Configuring Secure Socket Layer SSL
Certificate Request Certificate Request Reply
T e
Zeroize the switch’s host certificate or certificate key .
Execute no web-management ssl
Enable SLL Port number Selection
Common Errors in SSL setup
Error During Possible Cause
Page
General Operating Rules and Notes -9
General Setup Procedure for Port-Based Access Control
Messages Related to 802.1x Operation -47
Why Use Port-Based Access Control?
General Features
Refer to Radius Authentication and Accounting on
802.1x on the Series 4100GL switches includes the following
Configuring Port-Based Access Control
Authenticating One Switch to Another .1x authentication also
Authenticator Operation
How 802.1x Operates
Switch-Port Supplicant Operation
Example of Supplicant Operation
Terminology
802.1x standard
General Operating Rules and Notes
Configuring Port-Based Access Control
General Setup Procedure for Port-Based Access Control
Do These Steps Before You Configure 802.1x Operation
Overview Configuring 802.1x Authentication on Switch
Authenticators operate as expected
Configuring Port-Based Access Control
Configuring Switch Ports as Authenticators
802.1x Authentication Commands
Enable 802.1x Authentication on Selected Ports
To activate 802.1x authentication on the switch
Tx-period 0
Clears authenticator statistics counters
Configure the 802.1x Authentication Method
Local
Eap-radius
Chap-radius
Enable 802.1x Authentication on the Switch
Enter the Radius Host IP Addresses
802.1x Open Vlan Mode
802.1x-Related Show Commands Radius server configuration
Introduction
Use Models for 802.1x Open Vlan Modes
Tagged Vlan as the Unauthorized-Client Vlan
Port as a static, tagged member of the VLAN, membership
802.1x Per-Port Configuration Port Response
Condition Rule
Multiple Authenticator Ports Using
Setting Up and Configuring 802.1x Open Vlan Mode
Before you configure the 802.1x Open Vlan mode on a port
Mised by an unauthorized client
Port-Security To Allow Only 802.1x Devices on
Activate authentication on the switch
Vlan Operation
HPswitchconfig# aaa authentication port-access eap-radius
802.1x Open Vlan Operating Notes
Action none send-alarm send-disable
Enables 802.1x authentication on the port
802.1x Authentication Commands 802.1x Supplicant Commands
Authenticator at the same time
Specified ports
Syntax aaa port-access supplicant ethernet port-list
Enter secret password Repeat secret password
Max-start 1
Displaying 802.1x Configuration, Statistics, and Counters
Show Commands for Port-Access Authenticator
Viewing 802.1x Open Vlan Mode Status
Page
Open Vlan Mode Status
To the port
Configuring Port-Based Access Control
Supplicant port detects a different authenticator device
Show Commands for Port-Access Supplicant
Switch reboots
How RADIUS/802.1x Authentication Affects Vlan Operation
Example of an Active Vlan Configuration
Otherwise, port A2 is not listed
Assignment
Messages Related to 802.1x Operation
1x Operating Messages
Page
Blocking Unauthorized Traffic -3 Trunk Group Exclusion -4
Basic Operation
Retention of Static Addresses
Configuring and Monitoring Port Security
Basic Operation
Blocking Unauthorized Traffic
Trunk Group Exclusion
Security
Planning Port Security
Port Security Command Options Operation
Port Security Commands Used in This Section
Commands
Acquires and maintains authorized addresses
Port Security Parameters
Mode
Address address-limit integer
Mac-address mac-addr
Parameter Description
Retention of Static Addresses
Clear- clear-intrusion-flag
Displaying Current Port Security Settings
Using the CLI To Display Port Security Settings
Configuring Port Security
Configuring and Monitoring Port Security
Example of Adding an Authorized Device to a Port
Command option removes unwanted devices MAC addresses from
Device’s MAC address. For example
Removing a Device From the Authorized List for a Port. This
Entry in the table on
To automatically become authorized
Remove 0c0090-123456 from the Authorized Address list
Reading Intrusion Alerts and Resetting Alert Flags
Web Displaying and Configuring Port Security Features
Click on Port Security
How the Intrusion Log Operates
Example of Multiple Intrusion Log Entries for the Same Port
Flags
Operates as follows
It detects
Intrusion flag
Type I Intrusion log to display the Intrusion Log
11. Example of the Intrusion Log Display
List intrusion log content
Intrusion Alert on port A1
14. Example of Port Status Screen After Alert Flags Reset
Event Log lists port security intrusions as
Operating Notes for Port Security
Configuring and Monitoring Port Security
Page
Using Authorized IP Managers
Building IP Masks
Authorized IP Manager Features
Using Authorized IP Managers
You can configure
Access Levels
Options
Defining Authorized Management Stations
Overview of IP Mask Operation
Menu Viewing and Configuring IP Authorized Managers
Switch Configuration IP Authorized Managers
Building IP Masks on
From the console Main Menu, select
CLI Viewing and Configuring Authorized IP Managers
Authorized IP Managers Commands Used in This Section
Configuring IP Authorized Managers for the Switch
IP Mask
Address of the authorized manager you want to delete
Web Configuring IP Authorized Managers
Click on Authorized Addresses
Configuring One Station Per Authorized Manager IP Entry
Building IP Masks
Authorized 227 125
Manager IP
Using Authorized IP Managers
125, or 127 can access the switch
Building IP Masks
Any value from 0 to
IP Mask 255 249
Results
Additional Examples for Authorizing Multiple Stations
Authorized
Using Authorized IP Managers
Page
Index
Index
See port access control OpenSSH … 4-3,5-2 operating notes
See SSH. proxy Web server … Quick start …
SSL
See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting
Index
Page
5990-3032