Page
Page
Page
Product Documentation
1 Security Overview
2 Configuring Username and Password Security
3 Web and MAC Authentication
4 TACACS+ Authentication
5 RADIUS Authentication, Authorization, and Accounting
Using SNMP To View and Configure
Local Authentication Process
Controlling Web Browser Interface Access
VLAN Assignment in an Authentication Session
6 Configuring Secure Shell (SSH)
7 Configuring Secure Socket Layer (SSL)
8 Configuring Advanced Threat Protection
Page
9 Traffic/Security Filters and Monitors
Option For Authenticator Ports: Configure Port-Security
To Allow Only 802.1X-AuthenticatedDevices
11 Configuring and Monitoring Port Security
12 Using Authorized IP Managers
Page
Page
Product Documentation
Software Feature Index
Page
Page
Page
Security Overview
Page
Access Security Features
Table 1-1.Access Security and Switch Authentication Features
Page
Page
Page
Network Security Features
Table 1-2.Network Security—DefaultSettings and Security Guidelines
Page
Getting Started with Access Security
setup
mgmt-interfaces
Figure 1-1.Example of Management Interface Wizard Configuration
CTRL-C
[n]
CLI Wizard: Operating Notes and Restrictions
no password
Setup Wizard
Figure 1-2.Management Interface Wizard: Welcome Window
Continue
Manager Password, SNMP, Telnet, SSH, Web Management GUI, Timeout
Exit
Back
Figure 1-3.Management Interface Wizard: Summary Setup
Apply
Web Wizard: Operating Notes and Restrictions
SNMP Access to the Authentication Configuration MIB. A
N o t e o n S N M P
A c c e s s t o
M I B
If SNMP access to the hpSwitchAuth MIB is considered a security risk
snmp-servermib hpswitchauthmib excluded
Precedence of Security Options
Page
www.procurve.com/solutions
Security Products
Page
ProCurve Identity-DrivenManager (IDM)
Configuring Username and Password Security
Password Recovery
Feature
Default
Menu
CLI
Web
Menu Interface:
CLI:
C a u t i o n
Configuring Local Password Security
3. Console Passwords
Figure 2-1.The Set Password Screen
Enter new password again
[Enter]
To Delete Password Protection (Including Recovery from a Lost
Password):
Set Passwords
Delete Password Protection
Continue Deletion of password protection? No
Configuring Manager and Operator Passwords
Figure 2-2.Example of Configuring Manager and Operator Passwords
Figure 2-3.Removing a Password and Associated Username from the Switch
no password all
To Configure (or Remove) Usernames and Passwords in the Web Browser Interface
Saving Security Credentials in a Config
File
running-config:
write terminal:
manager:
operator:
port-access:
user-name
plaintext
sha-1
auth
md5
priv
Figure 2-4.Example of Security Credentials Saved in the Running-Config
port-access)
password manager
password operator
Page
Page
show config
running-config
Figure 2-5.Example of SSH Public Keys
copy
include-credentials commands
copy config
config
copy config tftp
copy tftp config
copy config xmodem
snmpv3 user
Page
Front-PanelSecurity
Figure 2-6. Front-PanelButton Locations on a ProCurve 6120G/XG Switch
Figure 2-7. Front-PanelButton Locations on a ProCurve 6120XG Switch
Figure 2-8.Press the Clear Button for Five Seconds To Reset the Password(s)
Figure 2-9.Press and hold the Reset Button for One Second To Reboot the Switch
Page
front-panel-security
Clear Password:
Enabled
Disabled
Note:
Password Recovery:
CAUTION:
Figure 2-10.The Default Front-PanelSecurity Settings
Page
Disabled
password-clear
Figure 2-12.Example of Re-Enablingthe Clear Button’s Default Operation
factory-reset
Default:
Notes:
Figure 2-13.Example of Disabling the Factory Reset Option
Password Recovery
Note: To disable password-recovery:
Steps for Disabling Password-Recovery
factory- reset
no front-panel-security password-recovery
CAUTION
Figure 2-14.Example of the Steps for Disabling Password-Recovery
Web and MAC Authentication
Page
Page
Page
Page
How Web and MAC Authentication
Operate
Figure 3-1.Example of Default User Login Screen
Figure 3-2.Progress Message During Authentication
redirect-url
Figure 3-3.Authentication Completed
reauth-period
reauthenticate
logoff-period
unauth-vid
unauth- vid
addr-format
addr-limit
addr-moves
server-timeout
max- requests
quiet-period
Authorized-Client
Authentication Server:
Authenticator:
CHAP:
Client:
Operating Rules and Notes
Port Access
Management
Page
Web/MAC
Authentication
and LACP
show
Setup Procedure for Web/MAC
Page
Page
Page
Page
Page
Configuring Web Authentication
ping
Page
spanning-tree
edge-port
controlled- directions in
statistics
Page
Page
Page
MACbased
clients detailed
Figure 4. Example of show port-access web-basedCommand Output
n/a - IPv6
no info
Figure 5. Example of show port-access web-basedclients Command Output
Example of show port-access web-basedclients detailed Command Output
No)
Figure 8. Example of show port-access web-basedconfig detail Command Output
Page
Customizing Web Authentication HTML
Files (Optional)
ewa-server
index.html
accept.html
User Login Page (index.html)
Figure 8. User Login Page
Figure 9. HTML Code for User Login Page Template
Access Granted Page (accept.html)
Figure 9-10.Access Granted Page
Figure 11. HTML Code for Access Granted Page Template
Authenticating Page (authen.html)
Figure 12. Authenticating Page
authen.html
Figure 13. HTML Code for Authenticating Page Template
Invalid Credentials Page (reject_unauthvlan.html)
Figure 10. Invalid Credentials Page
reject_unauthvlan.html
Figure 14. HTML Code for Invalid Credentials Page Template
Timeout Page (timeout.html)
Figure 15. Timeout Page
timeout.html
Figure 16. HTML Code for Timeout Page Template
Retry Login Page (retry_login.html)
Figure 17. Retry Login Page
retry_login.html
max-retries
Figure 18. HTML Code for Retry Login Page Template
SSL Redirect Page (sslredirect.html)
Figure 19. SSL Redirect Page
sslredirect
ssl-login
Figure 20. HTML Code for SSL Redirect Page Template
Access Denied Page (reject_novlan.html)
Figure 11. Access Denied Page
reject_novlan
Figure 21. HTML Code for Access Denied Page Template
Configuring MAC Authentication on the
Switch
no-delimiter
single-dash
multi-dash
multi-colon
no-delimiter-uppercase — specifies an AABBCCDDEEFF format
Page
Page
Page
Figure 3-22.Example of show port-access mac-basedCommand Output
Example of show port-access mac-basedclients detail Command Output
Page
Example of show port-access mac-basedconfig detail Command Output
Page
Client Status
show... clients’
TACACS+ Authentication
A3 or
A2 or
Figure 4-1.Example of TACACS+ Operation
Terminology Used in TACACS
Applications:
NAS (Network Access Server):
TACACS+ Server:
Authentication:
Page
Notes
General System Requirements
General Authentication Setup Procedure
Page
Note on Privilege Levels
Caution
telnet login
telnet enable
Configuring TACACS+ on the Switch
aaa authentication:
tacacs-server:
Figure 4-2.Example Listing of the Switch’s Authentication Configuration
paris-1
show tacacs
Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing
aaa authentication login
tacacs
radius
Table 4-1.AAA Authentication Parameters
local
none
Figure 4-4.Advanced TACACS+ Settings Section of the TACACS+ Server User Setup
Figure 4-5.The Shell Section of the TACACS+ Server User Setup
Table 4-2.Primary/Secondary Authentication Table
Caution Regarding
Login Primary
Access
Console Login (Operator or Read-Only)Access: Primary using TACACS+ server
Secondary using Local
Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server
Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server
The host IP address(es)
The timeout value
Note on
Encryption Keys
Page
Adding, Removing, or Changing the Priority of a TACACS+ Server
Figure 4-6.Example of the Switch with Two TACACS+ Server Addresses Configured
Configuring an Encryption Key
Procurve(config)# tacacs-serverkey <keystring
show config running
write mem
How Authentication Operates
Figure 4-8.Using a TACACS+ Server for Authentication
Page
Page
Global key:
Server-Specific
key:
Controlling Web Browser Interface
Access When Using TACACS+
Messages Related to TACACS+
Operation
server
tacacs-server configuration
Page
RADIUS Authentication, Authorization, and Accounting
Page
Page
Page
EXEC Session:
Host: See RADIUS Server
RADIUS Client:
RADIUS Host:
RADIUS Server:
Switch Operating Rules for RADIUS
General RADIUS Setup Procedure
Preparation:
Table 5-1.Preparation for Configuring RADIUS on the Switch
Figure 5-1.Example of Possible RADIUS Access Assignments
Configuring the Switch for RADIUS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Using SNMP To View and Configure
Switch Authentication Features
S e c u r i t y N o t e s
snmp-server
mib hpswitchauthmib excluded
excluded:
included
Excluded MIBs
show run
Local Authentication Process
Controlling Web Browser Interface Access
CLI: no web-management
2.Switch Configuration
1.System Information
Web Agent Enabled: No
Commands Authorization
radius:
Figure 5-10.Example of Show Authorization Command
Page
Page
Page
New > key
Submit + Restar
1.Select System Configuration
Logging
Submit
Page
VLAN Assignment in an Authentication
Session
vlan100
Page
Configuring RADIUS Accounting
Network accounting:
System accounting:
Commands accounting:
RADIUS accounting with IP attribute:
show radius
[key
key-string
Accounting types:
Trigger for sending accounting reports to a RADIUS server:
Updating:
Page
Exec:
exec
System:
system
system
Network:
Web or MAC
■Start-Stop:
start-stop
Figure 5-12.Example of Configuring Accounting Types
Updates:
Suppress:
Page
Viewing RADIUS Statistics
show radius
Figure 5-14.Example of General RADIUS Information from Show Radius Command
Figure 5-15.RADIUS Server Information From the Show Radius Host Command
Figure 5-16.Example of Login Attempt and Primary/Secondary Authentication
Information from the Show Authentication Command
Figure 5-17.Example of RADIUS Authentication Information from a Specific Server
Figure 5-18.Listing the Accounting Configuration in the Switch
Figure 5-19.Example of RADIUS Accounting Information for a Specific Server
Changing RADIUS-ServerAccess Order
Figure 5-21.Search Order for Accessing a RADIUS Server
Figure 5-22.Example of New RADIUS Server Search Order
Messages Related to RADIUS Operation
Configuring Secure Shell (SSH)
Client Public Key Authentication (Login/Operator Level) with User
Figure 6-1.Client Public Key Authentication Model
www.openssh.com
login
Figure 6-2.Switch/User Authentication
SSH Server:
Private Key:
Enable Level:
Login Level:
SSH Enabled:
generate ssh [dsa | rsa]
Prerequisite for Using SSH
Public Key Formats
Steps for Configuring and Using SSH for Switch and Client Authentication
Table
SSH Options
login public- key
erase
startup-config
Configuring the Switch for SSH
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Further Information on SSH Client
Public-KeyAuthentication
copy tftp
aaa authentication ssh
Figure 6-13.Example of a Client Public Key
Note on Public
Keys
smith@support.cairns.com
append
operator
keylist-str
manager
clear crypto
Messages Related to SSH Operation
tftp
After you execute the generate ssh [dsa | rsa]
Note
Page
Configuring Secure Socket Layer (SSL)
Server Certificate authentication with User Password
Authentication
Switch/User Authentication
N o t e :
SSL Server:
Key Pair:
Digital Certificate:
Root Certificate:
Manager Level:
Operator Level:
Local password or username:
SSL Enabled:
Prerequisite for Using SSL
Steps for Configuring and Using SSL for Switch and Client Authentication
Page
Configuring the Switch for SSL
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Common Errors in SSL setup
Configuring Advanced Threat Protection
Page
Page
DHCP Snooping
authorized server:
database:
tftp://ip-addr/ascii-string
option
yes
trust
untrusted
verify
Figure 8-2.Example of Show DHCP Snooping Statistics
Figure 8-3.Example of DCHP Snooping on a VLAN
Example of Setting Trusted Ports
Figure 8-5.Example of Authorized Servers for DHCP Snooping
mac:
subnet-ip:
subnet-ip
untrusted
drop:
Figure 8-6.Example of DHCP Snooping Option 82 using the VLAN IP Address
Figure 8-7.Example Showing the DHCP Snooping Verify MAC Setting
file
delay
timeout
Figure 8-8.Example Showing DHCP Snooping Binding Database Contents
agent
event
packet
Server <ip-address>packet received on untrusted port <port-number
dropped
Client packet destined to untrusted port <port-number
Unauthorized server <ip-address>detected on port
Received untrusted relay information from client <mac-address>on
Client address <mac-address>not equal to source MAC <mac-address
detected on port
Attempt to release address <ip-address>leased to port <port-number
Lease table is full, DHCP lease was not added. The lease table is full
Snooping table is full
Dynamic ARP Protection
Page
vlan-range
Figure 8-9.Configuring Trusted Ports for Dynamic ARP Protection
port-list
c1-c3
interface
validate
src-mac
dst-mac
Figure 8-1.The show arp-protectCommand
Figure 8-2.Show arp-protectstatistics Command
Figure 8-3.Example of debug arp-protectCommand
Dynamic IP Lockdown
Page
Table 1. Sample DHCP Snooping Entries
Figure 8-4.Example of Internal Statements used by Dynamic IP Lockdown
deny any
permit any
source-lockdown
dhcp-snooping
Page
Page
Page
status
Figure 8-5.Example of show ip source-lockdownstatus Command Output
bindings
Figure 8-6.Example of show ip source-lockdownbindings Command Output
debug
dynamic-ip-lockdown
debug destination session
Figure 8-7.Example of debug dynamic-ip-lockdownCommand Output
Using the Instrumentation Monitor
Figure 8-8.Example of Event Log Message generated by Instrumentation Monitor
Figure 8-9.Example of rate limiting when multiple messages are generated
Known Limitations:
enabled
[all]
see parameter listings below
[arp-requests]
1000 (med)
instrumentation monitor
The show instrumentation monitor configuration command displays the config
Figure 8-10.Viewing the Instrumentation Monitor Configuration
Traffic/Security Filters and Monitors
Page
Filter Types and Operation
Filter Types and Criteria
Figure 9-1.Example of a Source-PortFilter Application
trk1
trk2
trk
Figure 9-2.Example of a Filter Blocking Traffic only from Port 5 to Server "A
Figure 9-3.The Filter for the Actions Shown in Figure
no filter
named-filter
<filter-name
show filter
accounting
Filter Name
Port List
NOT USED
Action
Figure 9-4.Network Configuration for Named Source-PortFilters Example
Figure 9-6.Source Port Filters Applied to Switch Ports
Figure 9-7.Example of the show filter Command
IDX
Value
Figure 9-8.Example Showing Traffic Filtered on Specific Ports
Figure 9-9.Example of Source Port Filtering with Internet Traffic
Figure 9-10.Expanded Network Configuration for Named Source-PortFilters Example
Action
Figure 9-11.Example Showing Network Traffic Management with Source Port Filters
Figure 9-12.Named Source-PortFilters Managing Traffic
Configuring Traffic/Security Filters
Forward
Trk1
trk6
Figure 9-13.Example of Switch Response to Adding a Filtered Source Port to a
Trunk
Figure 9-14.Assigning Additional Destination Ports to an Existing Filter
Table 9-2.Filter Example
Figure 9-15.Configuring Various Traffic/Security Filters
show filter
index
Page
Configuring Port-Basedand
User-BasedAccess Control (802.1X)
Page
Page
Page
Page
Page
CHAP (MD5):
User-Based
Guest VLAN:
EAP
EAPOL:
Supplicant:
General 802.1X Authenticator Operation
Page
Figure 10-1.Priority of VLAN Assignment for an Authenticated Client
Page
Error configuring port X: LACP and 802.1X cannot be run together
Applying Web Authentication or MAC Authentication Concurrently
General Setup Procedure for
Access Control
Figure 10-2.Example of the Password Port-AccessCommand
Figure 10-3.Example of show port-accessconfig Command Output
Page
auto
eap-radius
chap-radius
radius host
Configuring Switch Ports as 802.1X Authenticators
Page
User-Based802.1X Authentication
Port-Based802.1X Authentication
authenticator
Figure 10-4.Example of Configuring User-Based802.1X Authentication
Figure 10-5.Example of Configuring Port-Based802.1X Authentication
unauthorized:
max-requests
Page
none or authorized
Figure 10-6.Example of 802.1X (Port-Access)Authentication
Page
aaa port- access authenticator
control auto
Prerequisite
spanning- tree
Page
authenticator config
Figure 10-7.Example of Configuring 802.1X Controlled Directions
802.1X Open VLAN Mode
1st Priority:
2nd Priority:
3rd Priority:
Page
Table 10-2.802.1X Open VLAN Mode Options
802.1X Per-PortConfiguration
Port Response
Note for a Port Configured To Allow Multiple Client Sessions: If any
Page
Only
Unauthorized-Client
Authorized-Client
Condition
Rule
Page
Page
Page
Page
Page
Page
rad4all
Page
Option For Authenticator Ports:
Configure Port-Security
Devices
Figure 10-8. Port-AccessSupport for Port-SecurityOperation
Configure the port access type
Configuring Switch Ports To Operate As
Supplicants for 802.1X Connections to
Other Switches
Figure 10-9.Example of Supplicant Operation
Page
Page
(Syntax Continued)
Enter secret: < password
Repeat secret: < password
Displaying 802.1X Configuration, Statistics, and Counters
Yes or No
•Port COS:
cos-value
•% In Limit:
rate-limit-value
Figure 10-10.Exampleof show port-accessauthenticator Command
authenticator
show running
Figure 10-11.Exampleof show port-accessauthenticator config Command
Page
Figure 10-12.Exampleof show port-accessauthenticator statistics Command
in-progress
terminated
Figure 10-13.Exampleof show port-accessauthenticator session-countersCommand
authenticator control
Figure 10-14.Exampleof show port-accessauthenticator vlan Command
n/a - no info
Page
show port- access authenticator vlan
Figure 10-17.Example Showing Ports Configured for Open VLAN Mode
Auth VLAN ID
Current VLAN ID
Unauth VLAN ID
Table 10-1.Output for Determining Open VLAN Mode Status (Figure 10-17, Upper)
Table 10-3.Output for Determining Open VLAN Mode Status (Figure 10-17, Lower)
%Curr. Rate Limit Inbound
Figure 10-18.Exampleof Showing a VLAN with Ports Configured for Open VLAN Mode
secret
Connecting
Authenticated
Acquired
Authenticating
How RADIUS/802.1X Authentication Affects VLAN Operation
If the Port Used by the Client Is Not Configured as an Untagged
Page
Page
Page
Figure 10-19.Exampleof an Active VLAN Configuration
show vlan
Page
Page
unknown-vlans
Messages Related to 802.1X Operation
Table 10-4.802.1X Operating Messages
Configuring and Monitoring Port Security
Page
Port Security (Page
4)
MAC Lockdown (Page
11-22)
MAC Lockout (Page
Port Security
Default Port Security Operation
Intruder Protection
Eavesdrop Protection
Action:
Static:
Configured:
Authorized (MAC) Addresses:
Figure 11-1.Example of How Port Security Controls Access
show log
Port Security Commands Used in This Section
Displaying Port Security Settings
Listing Authorized and Detected MAC Addresses
mac-address:
port list:
vlan < vid >:
Figure 11-4.Examples of Show Mac-AddressOutputs
continuous
port-security
MAC Age Interval
show system information
mac-age-time
static:
limited-continuous
Page
none:
Learned Addresses
mac-addr
address-list
■Delete it by using no port-security< port-number > mac-address< mac-addr
Figure 11-5.Example of Adding an Authorized Device to a Port
Figure 11-6.Example of Adding a Second Authorized Device to a Port
Figure 11-7.Example of Port Security on Port A1 with an Address Limit of “1”
Figure 11-8.Example of Two Authorized Addresses on Port A1
Figure 11-9.Example of Port A1 After Removing One MAC Address
MAC Lockdown
How It Works
Other Useful Information
Limits
Event Log Messages
MAC Lockout
Page
Table 11-10.Limits on Lockout MACs
Page
Web: Displaying and Configuring Port
Security Features
Reading Intrusion Alerts and Resetting
Alert Flags
–The show port-security intrusion-log command displays the Intrusion Log
log
Figure 11-11.Example of Multiple Intrusion Log Entries for the Same Port
Send-Disable
Operation
1.Status and Counters
4.Port Status
Figure 11-12.Example of Port Status Screen with Intrusion Alert on Port A3
Figure 11-13.Example of the Intrusion Log Display
prior to
show interfaces brief
intrusion-log
Figure 11-16.Exampleof Port Status Screen After Alert Flags Reset
From the CLI
search-text
ffi
security
From the Menu Interface:
ext page
rev page
Status
Operating Notes for Port Security
Page
Using Authorized IP Managers
Authorized IP Manager Features
Options
Access Levels
Manager:
Operator:
Defining Authorized Management
Stations
Authorizing Single Stations:
Manager
Operator
2. Switch Configuration …
7. IP Authorized Managers
Figure 12-1.Example of How To Add an Authorized Manager Entry
Figure 12-2.Example of How To Add an Authorized Manager Entry (Continued)
Edit
Delete
authorized-managers
Figure 12-3.Exampleof the Show IP Authorized-ManagerDisplay
To Delete an Authorized Manager Entry. This command uses the IP
Web: Configuring IP Authorized
Managers
Building IP Masks
Figure 12-5.Analysis of IP Mask for Single-StationEntries
Figure 12-6.Analysis of IP Mask for Multiple-StationEntries
Duplicate IP Addresses:
Web Proxy Servers:
Page
Index
Numerics
