Access security guide Hp procurve Series 4100gl switches
Page
HP Procurve Series 4100GL Switches
Access Security Guide
Publication Number
Contents
Controlling Web Browser Interface Access When
Configuring the Switch for Radius Authentication
Controlling Web Browser Interface Access
When Using Radius Authentication
Further Information on SSH Client Public-Key Authentication
802.1x Connections to Other Switches
General Setup Procedure for
Configuring Switch Ports To Operate As Supplicants for
Operating Rules for Authorized-Client
Web Displaying and Configuring Port Security Features
How RADIUS/802.1x Authentication Affects Vlan Operation
Port Security Command Options and Operation
Resetting Alert Flags Operating Notes for Port Security
Defining Authorized Management Stations
Page
Getting Started Contents
Overview of Access Security Features
Introduction
Getting Started
Xiii
Command Syntax Conventions
Command Prompts
Simulating Display Output
Related Publications
Screen Simulations
Getting Started
Getting Documentation From the Web
Click on technical support
Sources for More Information
Need Only a Quick Start?
To Set Up and Install the Switch in Your Network
Run Setup
Main Menu of the Menu interface, select
Page
Configuring Username and Password Security
Overview
Configuring Username and Password Security
Feature Default Menu
Level Actions Permitted
Passwords are case-sensitive
To set a new password
Configuring Local Password Security
Menu Setting Passwords
Console Passwords
Configuring Manager and Operator Passwords
CLI Setting Passwords and Usernames
Continue Deletion of password protection? No
Commands Used in This Section
Click on the Security tab
Web Setting Passwords and Usernames
Click on Device Passwords
Enter
TACACS+ Authentication
Using TACACS+ Authentication Messages Operating Notes
TACACS+ Authentication
Example of TACACS+ Operation
TACACS+ Authentication
Terminology Used in Tacacs Applications
General System Requirements
General Authentication Setup Procedure
Always used as the secondary access control method
Result in Operator read-only access. Thus, when configuring
Additional features that the application offers
Determine the following
Telnet
Command
Configuring TACACS+ on the Switch
CLI Commands Described in this Section
Before You Begin
Viewing the Switch’s Current Authentication Configuration
This example shows the default authentication configuration
Configuring the Switch’s Authentication Methods
Authentication for the access being configured is local
AAA Authentication Parameters
Name Default Range Function
Method/privilege path. Available only if the primary method
Primary/Secondary Authentication Table
Login Primary to Local authentication
HPswitchconfig# aaa authentication num-attempts
Configuring the Switch’s TACACS+ Server Access
TACACS+ server
Syntax tacacs-server host ip-addr key key-string
Name Default Range
None
Timeout 1
None null
HPswitchconfig# no tacacs-server host
To configure north01 as a per-server encryption key
How Authentication Operates
General Authentication Process Using a TACACS+ Server
Changes without executing write mem
TACACS+ Authentication
Local Authentication Process
Authentication
Using the Encryption Key
HPswitchconfig# tacacs-server key north40campus
Operating Notes
Tacacs-server configuration
Messages Related to TACACS+ Operation
CLI Message Meaning
Rized persons
Radius Authentication and Accounting
Controlling Web Browser Interface Access When Using Radius
Port-Access
Radius Authentication and Accounting
Terminology
Switch Operating Rules for Radius
General Radius Setup Procedure
Preparation for Configuring Radius on the Switch
Configuring the Switch for Radius Authentication
Outline of the Steps for Configuring Radius Authentication
Radius Authentication Commands
Radius server documentation
Used on the specified Radius server. Default null
Configure the global Radius parameters
Server IP address
Local none
Example Configuration for Radius Authentication
Authentication Process on
Configure the Switch To Access a Radius Server
Configuring Radius Accounting instead of continuing here
Radius Authentication and Accounting
Configure the Switch’s Global Radius Parameters
Key global-key-string
To an authentication request before counting the attempt as
Local Authentication Process
Listings of Global Radius Parameters Configured In Figure
Word pair for the level you want to enter
Configuring Radius Accounting
Radius Accounting Commands
On page 3-5 before continuing here
Operating Rules for Radius Accounting
Steps for Configuring Radius Accounting
Configure the Switch To Access a Radius Server
Radius Authentication and Accounting
Example of Configuring Accounting Types
Start-Stop
Update period
Viewing Radius Statistics
General Radius Statistics
Term Definition
PendingRequests
Radius Authentication Statistics
14. Listing the Accounting Configuration in the Switch
Radius Accounting Statistics
Changing RADIUS-Server Access Order
17. Search Order for Accessing a Radius Server
18. Example of New Radius Server Search Order
Messages Related to Radius Operation
Message Meaning
Page
Configuring Secure Shell SSH
Configuring the Switch for SSH Operation
Client Public Key Authentication Model
Configuring Secure Shell SSH
Use a key to authenticate itself to the switch
3DES 168-bit
DES 56-bit
Prerequisite for Using SSH
Public Key Formats
SSH Options
Enable Ssh enable tacacs
Switch Primary SSH Authenticate Primary Switch
Manager Ssh enable local
Ssh enable radius
Configuring Secure Shell SSH
General Operating Rules and Notes
Configuring the Switch for SSH Operation
SSH-Related Commands in This Section
Generating the Switch’s Public and Private Key Pair
Example of Configuring Local Passwords
To the switch using the earlier pair
CLI kill command
Pair automatically disables SSH
Providing the Switch’s Public Key to Clients
For example, to generate and display a new key
Operation
Example of a Public Key Generated by the Switch
Inserted Bit Exponent Modulus
Switch’s Public and Private Key Pair on
To enable SSH on the switch
Version of SSH to accept connections from. default 1-or-2
On the switch by appearing to be you
Configuring the Switch for SSH Authentication
Option a Configuring SSH Access for Password-Only SSH
U t i o n
Configures
Use an SSH Client To Access the Switch
14 shows how to check the results of the above commands
Further Information on SSH Client Public-Key Authentication
15. Example of a Client Public Key
Property Supported Comments Value
Ascii
Show crypto client-public-key babble fingerprint
Deletes the client-public-key file from the switch
Messages Related to SSH Operation
00000K Peer unreachable
Key for the switch
Assigning a Local Login Operator
Comments on certificate fields
Server Certificate authentication with User Password
Configuring Secure Socket Layer SSL
3DES 168-bit, 112 Effective
RC4 40-bit, 128-bit
Prerequisite for Using SSL
General steps for configuring ssl include Client Preparation
Provided with your browser
General Operating Rules and Notes
Configuring the Switch for SSL Operation
Assigning a Local Login Operator and Enable ManagerPassword
SSL-Related CLI Commands in This Section
Security Tab Password Button
Verified unequivocally
Generating the Switch’s Server Host Certificate
Particular switch/client session, and then discarded
Earlier certificate
CLI commands used to generate a Server Host Certificate
CLI
Certificate Field Descriptions
For example, to generate a key and a new host certificate
Field Name Description
Can resume SSL operation
CLI Command to view host certificates
Host-cert command
For example, to display the new server host certificate
Iii Select Self signed certificate in the type box
Installed certificate
Select the Generate Certificate button
New key then just select current from the list
Configuring Secure Socket Layer SSL
Web browser Interface showing current SSL Host Certificate
Configuring Secure Socket Layer SSL
Certificate Request Certificate Request Reply
T e
Zeroize the switch’s host certificate or certificate key .
Execute no web-management ssl
Enable SLL Port number Selection
Common Errors in SSL setup
Error During Possible Cause
Page
General Setup Procedure for Port-Based Access Control
General Operating Rules and Notes -9
Messages Related to 802.1x Operation -47
Refer to Radius Authentication and Accounting on
Why Use Port-Based Access Control?
General Features
802.1x on the Series 4100GL switches includes the following
Configuring Port-Based Access Control
Authenticating One Switch to Another .1x authentication also
Authenticator Operation
How 802.1x Operates
Switch-Port Supplicant Operation
Example of Supplicant Operation
Terminology
802.1x standard
General Operating Rules and Notes
Configuring Port-Based Access Control
General Setup Procedure for Port-Based Access Control
Do These Steps Before You Configure 802.1x Operation
Overview Configuring 802.1x Authentication on Switch
Authenticators operate as expected
Configuring Port-Based Access Control
Configuring Switch Ports as Authenticators
802.1x Authentication Commands
Enable 802.1x Authentication on Selected Ports
To activate 802.1x authentication on the switch
Tx-period 0
Clears authenticator statistics counters
Eap-radius
Configure the 802.1x Authentication Method
Local
Chap-radius
Enable 802.1x Authentication on the Switch
Enter the Radius Host IP Addresses
802.1x-Related Show Commands Radius server configuration
802.1x Open Vlan Mode
Introduction
Use Models for 802.1x Open Vlan Modes
Tagged Vlan as the Unauthorized-Client Vlan
Port as a static, tagged member of the VLAN, membership
802.1x Per-Port Configuration Port Response
Condition Rule
Multiple Authenticator Ports Using
Setting Up and Configuring 802.1x Open Vlan Mode
Before you configure the 802.1x Open Vlan mode on a port
Mised by an unauthorized client
Activate authentication on the switch
Port-Security To Allow Only 802.1x Devices on
Vlan Operation
HPswitchconfig# aaa authentication port-access eap-radius
802.1x Open Vlan Operating Notes
Action none send-alarm send-disable
Enables 802.1x authentication on the port
802.1x Authentication Commands 802.1x Supplicant Commands
Authenticator at the same time
Specified ports
Syntax aaa port-access supplicant ethernet port-list
Enter secret password Repeat secret password
Max-start 1
Displaying 802.1x Configuration, Statistics, and Counters
Show Commands for Port-Access Authenticator
Viewing 802.1x Open Vlan Mode Status
Page
Open Vlan Mode Status
To the port
Configuring Port-Based Access Control
Show Commands for Port-Access Supplicant
Supplicant port detects a different authenticator device
Switch reboots
How RADIUS/802.1x Authentication Affects Vlan Operation
Example of an Active Vlan Configuration
Otherwise, port A2 is not listed
Assignment
Messages Related to 802.1x Operation
1x Operating Messages
Page
Basic Operation
Blocking Unauthorized Traffic -3 Trunk Group Exclusion -4
Retention of Static Addresses
Configuring and Monitoring Port Security
Basic Operation
Blocking Unauthorized Traffic
Trunk Group Exclusion
Security
Planning Port Security
Commands
Port Security Command Options Operation
Port Security Commands Used in This Section
Acquires and maintains authorized addresses
Address address-limit integer
Port Security Parameters
Mode
Mac-address mac-addr
Retention of Static Addresses
Parameter Description
Clear- clear-intrusion-flag
Displaying Current Port Security Settings
Using the CLI To Display Port Security Settings
Configuring Port Security
Configuring and Monitoring Port Security
Example of Adding an Authorized Device to a Port
Removing a Device From the Authorized List for a Port. This
Command option removes unwanted devices MAC addresses from
Device’s MAC address. For example
Entry in the table on
To automatically become authorized
Remove 0c0090-123456 from the Authorized Address list
Web Displaying and Configuring Port Security Features
Reading Intrusion Alerts and Resetting Alert Flags
Click on Port Security
How the Intrusion Log Operates
Example of Multiple Intrusion Log Entries for the Same Port
It detects
Flags
Operates as follows
Intrusion flag
Type I Intrusion log to display the Intrusion Log
11. Example of the Intrusion Log Display
List intrusion log content
Intrusion Alert on port A1
14. Example of Port Status Screen After Alert Flags Reset
Event Log lists port security intrusions as
Operating Notes for Port Security
Configuring and Monitoring Port Security
Page
Using Authorized IP Managers
Building IP Masks
Authorized IP Manager Features
Using Authorized IP Managers
Access Levels
You can configure
Options
Defining Authorized Management Stations
Overview of IP Mask Operation
Building IP Masks on
Menu Viewing and Configuring IP Authorized Managers
Switch Configuration IP Authorized Managers
From the console Main Menu, select
CLI Viewing and Configuring Authorized IP Managers
Authorized IP Managers Commands Used in This Section
Configuring IP Authorized Managers for the Switch
IP Mask
Web Configuring IP Authorized Managers
Address of the authorized manager you want to delete
Click on Authorized Addresses
Authorized 227 125
Configuring One Station Per Authorized Manager IP Entry
Building IP Masks
Manager IP
Using Authorized IP Managers
Any value from 0 to
125, or 127 can access the switch
Building IP Masks
IP Mask 255 249
Additional Examples for Authorizing Multiple Stations
Results
Authorized
Using Authorized IP Managers
Page
Index
Index
See port access control OpenSSH … 4-3,5-2 operating notes
See SSH. proxy Web server … Quick start …
SSL
See RADIUS. … 3-4 troubleshoot … 2-15 troubleshooting
Index
Page
5990-3032