HP Q.11. (2510-24) 193

Configuring Port-Based and Client-Based Access Control (802.1X)

Terminology

designate as the Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does not have to be statically configured as a member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN. An unauthorized-client VLAN is available on a port only if there is no authenticated client already using the port.

Untagged Membership in a VLAN: A port can be an untagged member of only one VLAN. (In the factory-default configuration, all ports on the switch are untagged members of the default VLAN.) An untagged VLAN membership is required for a client that does not support 802.1q VLAN tagging. A port can simultaneously have one untagged VLAN membership and multiple tagged VLAN memberships. Depending on how you configure 802.1X Open VLAN mode for a port, a statically configured, untagged VLAN membership may become unavailable while there is a client session on the port. See also “Tagged Membership in a VLAN”.

8-9

Contents

ProCurve Switches Page ProCurve Series 2510 Switches Access Security Guide Page Contents Product Documentation 1 Getting Started 2 Configuring Username and Password Security 3 Web and MAC Authentication 4 TACACS+ Authentication 5 RADIUS Authentication and Accounting 6 Configuring Secure Shell (SSH) 7 Configuring Secure Socket Layer (SSL) 8Configuring Port-Basedand Client-BasedAccess Control (802.1X) Page 9 Configuring and Monitoring Port Security 10 Using Authorized IP Managers Page Product Documentation Feature Index Page Page Getting Started Introduction www.procurve.com Overview of Access Security Features TACACS+ Authentication RADIUS Authentication and Accounting Port-Based Authorized IP Managers Table 1-1.Management Access Security Protection Conventions Syntax: hostname Figure 1-1.Example of a Figure Showing a Simulated Screen Sources for More Information www.procurve.com Technical support Product manuals (all) Figure 1-2.Getting Help in the Menu Interface Need Only a Quick Start setup 8. Run Setup Im portant Page Configuring Username and Password Security Page Caution Inactivity Time Configuring Local Password Security 3. Console Passwords Figure 2-1.The Set Password Screen Enter new password again [Enter] Set Passwords Delete Password Protection Continue Deletion of password protection? No Yes Configuring Manager and Operator Passwords Figure 2-3.Removing a Password and Associated Username from the Switch To Configure (or Remove) Usernames and Passwords in the Web Browser Interface Security Click on [Device Passwords] Front-PanelSecurity Figure 2-4.Example Front-PanelButton Locations Figure 2-5.Press the Clear Button for One Second To Reset the Password(s) Figure 2-6.Press and hold the Reset Button for One Second To Reboot the Switch front-panel-security Clear Password: Disabled Password Recovery: CAUTION: Figure 2-7.The Default Front-PanelSecurity Settings reset-on-clear Disabled password-clear Figure 2-9.Example of Re-Enablingthe Clear Button’s Default Operation Default: Notes: Figure 2-10.Example of Disabling the Factory Reset Option C a u t i o n Note: To disable password-recovery: Steps for Disabling Password-Recovery factory- reset no front-panel-security password-recovery CAUTION Figure 2-11.Example of the Steps for Disabling Password-Recovery password N o t e Page Web and MAC Authentication Page Page Page How Web and MAC Authentication Operate Figure 3-1.Example of User Login Screen dhcp-addr dhcp-lease web-based Figure 3-2.Progress Message During Authentication client-limit redirect-url Figure 3-3.Authentication Completed client-moves unauth- vid addr-format addr-limit reauth-period reauthenticate logoff-period addr-moves server-timeout Authorized-Client Authentication Server: CHAP: Client: Redirect URL: Operating Rules and Notes Note on Port Access Management Page Note on Web MAC Authentication and LACP General Setup Procedure for Web/MAC Authentication Page aabbccddeeff aabbcc-ddeeff aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff Note on MAC Configuring the Switch To Access a RADIUS Server Figure 3-4.Example of Configuring a Switch To Access a RADIUS Server Configuring Web Authentication ping Page Page Page Page Configuring MAC Authentication on the Switch no-delimiter single-dash multi-dash multi-colon Page Page Show Status and Configuration of Web-BasedAuthentication Page MAC-BasedAuthentication Page Show Client Status show... clients’ TACACS+ Authentication A3 or A2 or Figure 4-1.Example of TACACS+ Operation Notes Terminology Used in TACACS Applications: Authentication: Page General System Requirements General Authentication Setup Procedure Page Note on Privilege Levels telnet login telnet enable Configuring TACACS+ on the Switch show authentication aaa authentication: tacacs-server: Syntax Figure 4-2.Example Listing of the Switch’s Authentication Configuration Syntax: paris-1 show tacacs Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing radius Table 4-1.AAA Authentication Parameters Table 4-2.Primary/Secondary Authentication Table Caution Regarding Login Primary Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server The host IP address(es) The timeout value aaa authentication Note on Encryption Keys Table 4-3.Details on Configuring TACACS Servers and Keys Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 4-4.Example of the Switch with Two TACACS+ Server Addresses Configured tacacs-server Figure Configuring an Encryption Key write mem How Authentication Operates Figure 4-6.Using a TACACS+ Server for Authentication Local Global key: Server-Specific key: south10campus north40campus Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page RADIUS Authentication and Accounting Authentication Host: See RADIUS Server NAS (Network Access Server): RADIUS (Remote Authentication Dial In User Service): RADIUS Client: RADIUS Host: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Preparation: Table 5-1.Preparation for Configuring RADIUS on the Switch Figure 5-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Page Page Page Page Page Page Page Page Page Local Authentication Process Controlling Web Browser Interface Access When Using RADIUS Authentication Configuring RADIUS Accounting Network accounting: System accounting: Page key key-string Accounting types: Trigger for sending accounting reports to a RADIUS server: Updating: Page Exec: exec System: system system ■Start-Stop: start-stop ■Stop-Only: stop-only Figure 5-8.Example of Configuring Accounting Types Updates: Suppress: Viewing RADIUS Statistics Page Table 5-2.Values for Show Radius Host Output (Figure 5-11) Figure 5-12.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 5-13.Example of RADIUS Authentication Information from a Specific Server Figure 5-14.Listing the Accounting Configuration in the Switch Figure 5-15.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 5-17.Search Order for Accessing a RADIUS Server Figure 5-18.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 6-1.Client Public Key Authentication Model www.openssh.com Figure 6-2.Switch/User Authentication SSH Server: Key Pair: PEM (Privacy Enhanced Mode): Private Key: Enable Level: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication Table SSH Options login public- key None erase startup-config Configuring the Switch for SSH Page Page Page Page Page Page Page Page Page Page Page Page Page Further Information on SSH Client Public-KeyAuthentication aaa authentication ssh Figure 6-14.Example of a Client Public Key Page Note on Public Keys smith@fellow append operator clear crypto Page Messages Related to SSH Operation tftp Page Configuring Secure Socket Layer (SSL) www.openssl.com Server Certificate authentication with User Password Authentication Figure 7-1.Switch/User Authentication SSL Server: Manager Level: Operator Level: SSL Enabled: crypto key generate cert [key size] crypto Prerequisite for Using SSL Steps for Configuring and Using SSL for Switch and Client Authentication Page Configuring the Switch for SSL Operation Figure 7-2.Example of Configuring Local Passwords Apply Changes show config CLI commands used to generate a Server Host Certificate crypto key generate cert Table 7-1.Certificate Field Descriptions CLI Command to view host certificates Syntax show crypto Figure 7-4.Example of show crypto host-certcommand ii.Select the Create Certificate/Certificate Request radio button Self-Signed Certificate Type RSA Key Size Current Page Figure 7-6.Web browser Interface showing current SSL Host Certificate iii.Select Create CA Request from the Certificate Type drop-downlist Figure 7-7.Example of a Certificate Request and Reply Page web- management ssl ■Execute no web-managementssl Enable SSL and Port number selection Note on Port Number tcp-port Common Errors in SSL Setup Page Configuring Port-Basedand Client-BasedAccess Control (802.1X) Page Page Page Page Figure 8-1.Example of an 802.1X Application Authenticator: CHAP (MD5): Client-Based Guest VLAN: EAP EAPOL: Friendly Client: MD5: PVID (Port VID): Supplicant: Page General 802.1X Authenticator Operation Figure 8-2.Example of Supplicant Operation Page Error configuring port X: LACP and 802.1X cannot be run together Note on and LACP General Setup Procedure for Access Control eap-radius chap-radius radius host Page Configuring Switch Ports as 802.1X Authenticators Page Port-Based802.1X Authentication authenticator Figure 8-3.Example of Configuring Client-Based802.1X Authentication Figure 8-4.Example of Configuring Port-Based802.1X Authentication unauthorized: max-requests control auto Figure 8-5.Example of 802.1X (Port-Access)Authentication Page Page 802.1X Open VLAN Mode 1st Priority: 2nd Priority: Page Table 8-1.802.1X Open VLAN Mode Options 802.1X Per-PortConfiguration Port Response both Only Unauthorized-Client Authorized-Client Condition Rule Page Page Page Page Page rad4all Page Page Option For Authenticator Ports: Configure Port-SecurityTo Allow Only 802.1X Devices Note on Blocking a Non- 802.1X Device control authorized authorized Configure the port access type Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Figure 8-6.Example of Supplicant Operation identity secret Enter secret: < password Repeat secret: < password max-start start-period start- period Displaying 802.1X Configuration, Statistics, and Counters (Syntax Continued) supplicant Figure 8-7.Example of show port-accessauthenticator config Command Figure 8-8.Example Showing Ports Configured for Open VLAN Mode Thus, in the show port-accessauthenticator output: Auth VLAN ID Current VLAN ID Table 8-3.Open VLAN Mode Status Figure 8-9.Example of Showing a VLAN with Ports Configured for Open VLAN Mode secret Connecting supplicant statistics [e] How RADIUS/802.1X Authentication Affects VLAN Operation If the Port Used by the Client Is Not Configured as an Untagged Figure 8-10.Example of an Active VLAN Configuration show vlan show vlan Page Page Messages Related to 802.1X Operation Table 8-4.802.1X Operating Messages Configuring and Monitoring Port Security Default Port Security Operation continuous Intruder Protection Authorized (MAC) Addresses: Figure 9-1.Example of How Port Security Controls Access Planning Port Security show log Port Security Command Options and Page Page Page Page Page Page Page Page Page Page Web: Displaying and Configuring Port Security Features 2.Click on [Port Security] Reading Intrusion Alerts and Resetting Alert Flags –The show port-security intrusion-log command displays the Intrusion Log log Figure 9-8.Example of Multiple Intrusion Log Entries for the Same Port Send-Disable Operation 1.Status and Counters 4.Port Status Figure 9-9.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 9-10.Example of the Intrusion Log Display prior to eset alert flags show interfaces brief intrusion-log Figure 9-13.Example of Port Status Screen After Alert Flags Reset From the CLI ffi security violation From the Menu Interface: Operating Notes for Port Security Page Configuring Protected Ports protected-ports Figure 9-15.Example of Protected Ports Command for Ports 4 and Figure 9-16.Example Showing Protected Ports and Unprotected Ports running-config Figure 9-17.Example of Running Config File Showing Protected Ports Figure 9-18.Example With Ports 1-8Protected and Ports 9 and 10 Unprotected Using Authorized IP Managers Authorized IP Manager Features Access Levels Manager: Operator: Defining Authorized Management Stations Authorizing Multiple Stations: Manager Operator 2.Switch Configuration … 7.IP Authorized Managers Figure 10-1.Example of How To Add an Authorized Manager Entry Figure 10-2.Example of How To Add an Authorized Manager Entry (Continued) Edit Delete show ip authorized-managers Figure 10-3.Example of the Show IP Authorized-ManagerDisplay To Delete an Authorized Manager Entry. This command uses the IP Web: Configuring IP Authorized Managers 2.Click on [Authorized Addresses] Add Replace Building IP Masks Table 10-1.Analysis of IP Mask for Single-StationEntries Table 10-2.Analysis of IP Mask for Multiple-StationEntries Modem and Direct Console Access: Duplicate IP Addresses: Web Proxy Servers: Page Page Numerics