HP W.14.03 454

Configuring Port-Based and User-Based Access Control (802.1X)

General Operating Rules and Notes

not enabled. That is, any non-authenticating client attempting to access the port after another client authenticates with port-based 802.1X would still have to authenticate through Web-Auth or MAC-Auth.

12-14

Contents

ProCurve Switches Page HP ProCurve 2910al Switch Page Product Documentation 1 Security Overview 2 Configuring Username and Password Security 3 Web and MAC Authentication 4 TACACS+ Authentication 5 RADIUS Authentication and Accounting Using SNMP To View and Configure Local Authentication Process Controlling Web Browser Interface Access 6Configuring RADIUS Server Support for Switch Services 7 Configuring Secure Shell (SSH) 8 Configuring Secure Socket Layer (SSL) 9 IPv4 Access Control Lists (ACLs) Page Deleting an ACL 10 Configuring Advanced Threat Protection 11 Traffic/Security Filters and Monitors Page 13 Configuring and Monitoring Port Security 14 Using Authorized IP Managers 15 Key Management System Index Product Documentation Software Feature Index Page Page Page Page Security Overview About This Guide For More Information Access Security Features Table 1-1.Access Security and Switch Authentication Features Page Page Page Network Security Features Table 1-2.Network Security—DefaultSettings and Security Guidelines Page Page Getting Started with Access Security Physical Security Quick Start: Using the Management Interface Wizard setup mgmt-interfaces Figure 1-1.Example of Management Interface Wizard Configuration CTRL-C [n] CLI Wizard: Operating Notes and Restrictions no password Setup Wizard Figure 1-2.Management Interface Wizard: Welcome Window Continue Exit Back Figure 1-3.Management Interface Wizard: Summary Setup Apply Web Wizard: Operating Notes and Restrictions SNMP Security Guidelines A c c e s s t o M I B If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network snmp-servermib hpswitchauthmib excluded Precedence of Security Options Precedence of Port-BasedSecurity Options Precedence of Client-BasedAuthentication: Dynamic Configuration Arbiter Page www.procurve.com/solutions Security Products Page ProCurve Identity-DrivenManager (IDM) Configuring Username and Password Security Page N o t e s Menu Interface: CLI: C a u t i o n Configuring Local Password Security Menu: Setting Passwords 3. Console Passwords Figure 2-1.The Set Password Screen Enter new password again To Delete Password Protection (Including Recovery from a Lost Password): Set Passwords Delete Password Protection Continue Deletion of password protection? No CLI: Setting Passwords and Usernames Configuring Manager and Operator Passwords Figure 2-2.Example of Configuring Manager and Operator Passwords Figure 2-3.Removing a Password and Associated Username from the Switch no password all Web: Setting Passwords and Usernames To Configure (or Remove) Usernames and Passwords in the Web Browser Interface SNMP: Setting Passwords and Usernames Saving Security Credentials in a Config File include- credentials Benefits of Saving Security Credentials Enabling the Storage and Display of Security Credentials running-config write terminal Security Settings that Can Be Saved Local Manager and Operator Passwords Password Command Options manager: operator: port-access: user-name SNMP Security Credentials auth md5 sha priv 802.1X Port-AccessCredentials port-access) password manager password operator TACACS+ Encryption Key Authentication RADIUS Shared-SecretKey Authentication SSH Client Public-KeyAuthentication Page Figure 2-5.Example of SSH Public Keys include-credentials commands copy config config copy config tftp copy tftp config copy config xmodem Restrictions snmpv3 user Page Front-PanelSecurity When Security Is Important Front-PanelButton Functions Figure 2-6. Front-PanelReset and Clear Buttons Figure 2-7.Press the Clear Button for One Second To Reset the Password(s) Figure 2-8.Press and hold the Reset Button for One Second To Reboot the Switch Configuring Front-PanelSecurity front-panel-security Clear Password: Enabled Disabled Password Recovery: CAUTION: Figure 2-9.The Default Front-PanelSecurity Settings Enabled password-clear Figure 2-11.Example of Re-Enablingthe Clear Button’s Default Operation Default: Notes: Figure 2-12.Example of Disabling the Factory Reset Option Password Recovery Note: To disable password-recovery: Steps for Disabling Password-Recovery factory- reset no front-panel-security password-recovery CAUTION Password Recovery Process password Page Page Web and MAC Authentication Web Authentication MAC Authentication Concurrent Web and MAC Authentication Authorized and Unauthorized Client VLANs RADIUS-BasedAuthentication Wireless Clients How Web and MAC Authentication Operate Web-basedAuthentication Figure 3-1.Example of Default User Login Screen Figure 3-2.Progress Message During Authentication redirect-url Figure 3-3.Authentication Completed reauth-period reauthenticate logoff-period MAC-basedAuthentication addr-format addr-limit addr-moves server-timeout max- requests quiet-period Authorized-Client Authentication Server: Authenticator: CHAP: Client: Operating Rules and Notes Page W e b / M A C A u t h e n t i c a t i o n a n d L A C P Setup Procedure for Web/MAC Before You Configure Web/MAC Authentication Figure 3-4.Example of show port-accessconfig Command Output Configuring the RADIUS Server To Support MAC Authentication aabbccddeeff aabbcc-ddeeff aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff Configuring the Switch To Access a RADIUS Server Figure 3-5.Example of Configuring a Switch To Access a RADIUS Server Configuring Web Authentication ping Configuration Commands for Web Authentication both spanning-tree edge-port Page statis tics Page Page Page Show Commands for Web Authentication MACbased clients detailed Figure 3-6.Example of show port-access web-basedCommand Output n/a - IPv6 no info Figure 3-7.Example of show port-access web-basedclients Command Output Figure 3-8.Example of show port-access web-basedclients detailed Command Output No) Figure 3-9.Example of show port-access web-basedconfig Command Output Figure 3-10.Example of show port-access web-basedconfig detail Command Output Page Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication no-delimiter single-dash multi-dash multi-colon Page Page Show Commands for MAC-BasedAuthentication Figure 3-12.Example of show port-access mac-basedCommand Output Figure 3-13.Example of show port-access mac-basedclients Command Output Figure 3-14.Example of show port-access mac-basedclients detail Command Output Figure 3-15.Example of show port-access mac-basedconfig Command Output Figure 3-16.Example of show port-access mac-basedconfig detail Command Output Page Client Status show... clients’ TACACS+ Authentication A3 or A2 or Figure 4-1.Example of TACACS+ Operation Terminology Used in TACACS Applications: Page Notes General System Requirements General Authentication Setup Procedure Note on Privilege Levels Caution telnet login telnet enable Configuring TACACS+ on the Switch Before You Begin aaa authentication: tacacs-server: CLI Commands Described in this Section Viewing the Switch’s Current Authentication Viewing the Switch’s Current TACACS+ Server Contact Configuration paris-1 show tacacs Figure 4-3.Example of the Switch’s TACACS+ Configuration Listing Configuring the Switch’s Authentication Methods aaa authentication privilege-mode tacacs radius Table 4-1.AAA Authentication Parameters Parameters local Configuring the TACACS+ Server for Single Login Figure 4-4.Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Figure 4-5.The Shell Section of the TACACS+ Server User Setup Table 4-2.Primary/Secondary Authentication Table Console Login (Operator or Read-Only)Access: Primary using TACACS+ server Secondary using Local Telnet Login (Operator or Read-Only)Access: Primary using TACACS+ server Telnet Enable (Manager or Read/Write Access: Primary using TACACS+ server Configuring the Switch’s TACACS+ Server Access The host IP address(es) Page Page Adding, Removing, or Changing the Priority of a TACACS+ Server Figure 4-6.Example of the Switch with Two TACACS+ Server Addresses Configured Figure Configuring an Encryption Key Procurve(config)# tacacs-serverkey <keystring show config running write mem How Authentication Operates General Authentication Process Using a TACACS+ Local Authentication Process Using the Encryption Key Global key: Server-Specific key: Controlling Web Browser Interface Access When Using TACACS+ Messages Related to TACACS+ Operation server tacacs-server configuration Page Page RADIUS Authentication and Accounting Page Authentication Services Accounting Services RADIUS-AdministeredCoS and Rate-Limiting SNMP Access to the Switch’s Authentication Configuration MIB EXEC Session: Host: See RADIUS Server NAS (Network Access Server): RADIUS Client: RADIUS Host: Switch Operating Rules for RADIUS General RADIUS Setup Procedure Preparation: Table 5-1.Preparation for Configuring RADIUS on the Switch Figure 5-1.Example of Possible RADIUS Access Assignments Configuring the Switch for RADIUS Outline of the Steps for Configuring RADIUS Authentication Server Key: Timeout Period: Retransmit Attempts: 1.Configure Authentication for the Access Methods You Want RADIUS To Protect Console: Telnet: Web: peap-mschapv2 Default: chap-radius Page Figure 5-3.Example Configuration for RADIUS Authentication 2. Enable the (Optional) Access Privilege Option Page 3. Configure the Switch To Access a RADIUS Server auth-port acct-port Page 4. Configure the Switch’s Global RADIUS Parameters Server timeout: Server dead time: Retransmit attempts: Figure 5-6.Example of Global Configuration Exercise for RADIUS Authentication Figure 5-7.Listings of Global RADIUS Parameters Configured In Figure Using SNMP To View and Configure Switch Authentication Features S e c u r i t y N o t e s snmp-server mib hpswitchauthmib excluded Changing and Viewing the SNMP Access Configuration excluded: included Excluded MIBs Page Local Authentication Process Controlling Web Browser Interface Access CLI: no web-management 2.Switch Configuration 1. System Information Web Agent Enabled: No Commands Authorization Enabling Authorization radius: Displaying Authorization Information Figure 5-10.Example of Show Authorization Command Configuring Commands Authorization on a RADIUS Page Page Page Page Page Additional RADIUS Attributes Configuring RADIUS Accounting Network accounting: System accounting: Commands accounting: RADIUS accounting with IP attribute: Operating Rules for RADIUS Accounting show radius Steps for Configuring RADIUS Accounting radius-server [key key-string Accounting types: Trigger for sending accounting reports to a RADIUS server: Updating: Page Exec: exec System: system system stop-only Figure 5-12.Example of Configuring Accounting Types Updates: Suppress: Viewing RADIUS Statistics General RADIUS Statistics show radius Figure 5-15.RADIUS Server Information From the Show Radius Host Command RADIUS Authentication Statistics Figure 5-16.Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command Figure 5-17.Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Figure 5-18.Listing the Accounting Configuration in the Switch Figure 5-19.Example of RADIUS Accounting Information for a Specific Server Changing RADIUS-ServerAccess Order Figure 5-21.Search Order for Accessing a RADIUS Server Figure 5-22.Example of New RADIUS Server Search Order Messages Related to RADIUS Operation Configuring RADIUS Server Support for Switch Services Page www.procurve.com Network Management Product manuals page Technical Support RADIUS Server Configuration for Per-PortCoS (802.1p Priority) and Rate Limiting Applied Rates for RADIUS-AssignedRate Limits Table 6-1. RADIUS-Assigned Rate-LimitIncrements Table 6-2.Examples of Assigned and Applied Rate Limits rate-limit all show qos port-priority Page Configuring and Using RADIUS-AssignedAccess Control Lists DA: Deny: Dynamic Port ACL: Inbound Traffic: Outbound Traffic: Static Port ACL: Wildcard: ACL Mask Overview of RADIUS-Assigned,Dynamic ACLs Contrasting Dynamic (RADIUS-Assigned)and Static ACLs Table 6-3.Contrasting Dynamic (RADIUS-Assigned)and Static ACLs RADIUS-assignedACLs Static Port ACLs How a RADIUS Server Applies a RADIUS-AssignedACL to a Switch Port ip deny any any General ACL Features, Planning, and Configuration The Packet-filteringProcess Operating Rules for RADIUS-AssignedACLs Multiple Clients Using the Same Username/Password Pair: Multiple Effect of RADIUS-assignedACLs on Inbound Traffic for Two Cli Configuring an ACL in a RADIUS Server Table 6-4. Nas-Filter-RuleAttribute Options Configuring ACE Syntax in RADIUS Servers permit | deny >: in: ip | ip-protocol-value any: Nas-filter-Rule ipv4-addr mask < mask dictionary.rfc4849 clients.conf Figure 6-3.Example of Switch Identity Information for a FreeRADIUS Application Page Page Configuring the Switch To Support RADIUS-AssignedACLs cnt 802.1X Option: MAC Authentication Option: Web Authentication Option: Displaying the Current RADIUS-AssignedACL Activity on the Switch Port: Auth Clients: Unauth Clients: Untagged VLAN: Tagged VLANs ICMP Type Numbers and Keywords icmp-type Table 6-5.ICMP Type Numbers and Keywords Event Log Messages Causes of Client Deauthentication Immediately After Authenticating Monitoring Shared Resources Configuring Secure Shell (SSH) Client Public Key Authentication (Login/Operator Level) with User Figure 7-1.Client Public Key Authentication Model www.openssh.com Figure 7-2.Switch/User Authentication SSH Server: Key Pair: PEM (Privacy Enhanced Mode): Enable Level: Prerequisite for Using SSH Public Key Formats Steps for Configuring and Using SSH for Switch and Client Authentication login public- key erase startup-config Configuring the Switch for SSH 1.Assigning a Local Login (Operator) and Enable (Manager) Password To Configure Local Passwords Syntax: Figure 7-4.Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair Page Figure 7-5.Example of Generating a Public/Private Host Key Pair for the Switch Table 7-2.RSA/DSA Values for Various ProCurve Switches 3. Providing the Switch’s Public Key to Clients Figure 7-6.Example of a Public Key Generated by the Switch ord Wrap dit Figure 7-7.Example of a Correctly Formatted Public Key Page 4.Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior To enable SSH on the switch no ip ssh Page Important: manager operator N o t e o n P o r t N u m b e r ip ssh port 5. Configuring the Switch for SSH Authentication Option A: Configuring SSH Access for Password-OnlySSH Authentication Option B: Configuring the Switch for Client Public-KeySSH Page Figure 7-12.SSH Configuration and Client-Public-KeyListing From Figure 6. Use an SSH Client To Access the Switch copy tftp aaa authentication ssh Figure 7-13.Example of a Client Public Key N o t e o n P u b l i c K e y s smith@support.cairns.com append Page Page Messages Related to SSH Operation tftp After you execute the generate ssh [dsa | rsa] Logging Messages Note Debug Logging Configuring Secure Socket Layer (SSL) Server Certificate authentication with User Password Authentication Switch/User Authentication N o t e : SSL Server: Digital Certificate: Self-Signed Root Certificate: Manager Level: Operator Level: SSL Enabled: (web interface or CLI command: crypto key generate cert [key size] Prerequisite for Using SSL Steps for Configuring and Using SSL for Switch and Client Authentication Page Configuring the Switch for SSL 1.Assigning a Local Login (Operator) and Enabling (Manager) Password Figure 8-2.Example of Configuring Local Passwords 2. Generating the Switch’s Server Host Certificate Page CLI commands used to generate a Server Host Certificate crypto key generate cert Table 8-1.CertificateField Descriptions CLI Command to view host certificates Syntax show crypto host cert Figure 8-4.Example of show crypto host-certcommand Page Page Figure 8-6.Web browser Interface showing current SSL Host Certificate ii.Select the Create Certificate/Certificate Request radio button iii.Select Create CA Request from the Certificate Type drop-downlist Current RSA Key Size Figure 8-7.Request for Verified Host Certificate Web Browser Interface Screen 3.Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior Page ■Execute no web-managementssl [Apply Changes] tcp-port Common Errors in SSL setup Page IPv4 Access Control Lists (ACLs) Page Page Application Access Security: Page Overview of Options for Applying IPv4 ACLs on the Switch Static ACLS Dynamic Port ACLs Table 9-1.Command Summary for Standard IPv4 ACLs Page Table 9-2.Command Summary for IPv4 Extended ACLs Note: Table 9-3.Command Summary for Enabling, Disabling, and Displaying ACLs Page ACL Mask: CIDR: NAME-STR identifier ACL-ID Named ACL: An ACL created with the ip access-list< extended | standard Named ACL: seq-# Standard ACL: Types of IPv4 ACLs Extended ACL: ACL Applications Effect of Dynamic Port ACLs When Multiple Clients Are Using the Same Port Figure 9-1.Example of Multiple Clients Authenticating Through a Single Port Multiple ACLs on an Interface Features Common to All ACL Applications deny any deny ip any any General Steps for Planning and Configuring ACLs Page IPv4 Static ACL Operation Example Figure 9-2.Example of Sequential Comparison Figure 9-3.The Packet-FilteringProcess in an ACL with N Entries (ACEs) Figure 9-4.Example of How an ACL Filters Packets Planning an ACL Application IPv4 Traffic Management and Improved Network Security Guidelines for Planning the Structure of a Static ACL IPv4 ACL Configuration and Operating Rules Static Port ACLs: Per Switch ACL Limits for All ACL Types show < qos | > resources How an ACE Uses a Mask To Screen Packets for Matches Page Any IPv4 address fits the matching criteria A group of IPv4 addresses fits the matching criteria Table 9-1.Example of How the Mask Defines a Match Example of Allowing Only One IPv4 Address (“Host” Option). Sup Inbound Packet “A” On VLAN Inbound Packet “B” On VLAN Examples Allowing Multiple IPv4 Addresses. Table 9-2 provides exam Table 9-2.Example of Using an IPv4 Address and Mask in an Access Control Entry Table CIDR Notation Regarding the Use of IPv4 Source Routing Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies ACL Configuration Structure standard extended Figure 9-6.Example of the General Structure for a Standard ACL Figure 9-7.Example of a Displayed Standard ACL Configuration with Two ACEs Figure 9-8.Example of General Structure Options for an Extended ACL Figure 9-9.Example of a Displayed Extended ACL Configuration ACL Configuration Factors Table 9-4.Effect of the Above ACL on Inbound IPv4 Traffic in the Assigned VLAN Page Using the CLI To Create an ACL Named IPv4 ACLs: acl-name-str Table 9-5.Examples of CIDR Notation for Masks Configuring Standard ACLs Table 9-6.Command Summary for Standard ACLs Page Page resequence Mask Application: 10.10.10.1/24 logging Figure 9-11.Example of Commands Used To Create an Standard, Named ACL Figure 9-12.Screen Output Listing the “Sample-List”ACL Content Page Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define Example of Creating and Viewing a Standard ACL. This example cre Configuring Extended ACLs Table 9-7.Command Summary for Extended ACLs Page Page Page ip access- list standard (nacl context) ip-in-ip ipv6-in-ipgre esp ospf pim DA Mask Application: Page tcp udp Comparison Operators: tcp/udp-port-nbr < end-port-nbr Port Number or Well-KnownPort Name: Comparison Operators and Well-KnownPort Names — [established] established icmp www.iana.com [icmp-type icmp-code] igmp extended a.Use ip access list extended < 100 - 199 > to open the ACL as a named ACL Page Page Page Page Page Adding or Removing an ACL Assignment On an Interface Filtering Inbound IPv4 Traffic Per Port Figure 9-15.Methods for Enabling and Disabling ACLs Deleting an ACL Editing an Existing ACL Using the CLI To Edit ACLs ■Named ACLs: no Sequence Numbering in ACLs Figure 9-16.Example of the Default Sequential Numbering for ACEs Figure 9-17.Examples of Adding an ACE to the end of Numbered or Named ACLs Figure 9-18.Example of Appending an ACE to an Existing List Figure 9-19.Example of Inserting an ACE in an Existing ACL Figure 9-20.Example of Inserting an ACE into an Existing Sequence Figure 9-21.Example of Deleting an ACE from Any ACL starting-seq-# interval | 1 - 99 | Figure 9-22.Example of Viewing and Resequencing an ACL Page < 1 - 99 | 100 - 199 Figure 9-24.Example of Inserting a Remark Inserting a Remark for an ACE that Already Exists in an ACL. If a list-name Figure 9-25.Example of Overwriting One Remark with Another Displaying ACL Configuration Data Display an ACL Summary Figure 9-26.Example of show access-listCommand Figure 9-27.Example of a Summary Table of Access lists std ext Display the Content of All ACLs on the Switch memory Figure 9-28.Example of an ACL Configured Syntax Listing Display Static Port ACL Assignments Figure 9-29.Example of Listing the ACL Assignments for Ports and Trunks Displaying the Content of a Specific ACL Figure 9-30.Example of a Listing a Standard ACL acl-id Page Monitoring Static ACL Performance Total: Resetting ACE Hit Counters to Zero: Creating or Editing ACLs Offline Copy xmodem usb Creating or Editing an ACL Offline no ip access- list Figure 9-32.Example of an Offline ACL File Designed To Replace An Existing ACL command-file Enable ACL “Deny” Logging logging Requirements for Using ACL Logging ACL Logging Operation Figure 9-33.Content of a Message Generated by an ACL-DenyAction Enabling ACL Logging on the Switch logging facility syslog debug destination logging session General ACL Operating Notes ACLs Do Not Affect Serial Port Access. ACLs do not apply to the ACL Logging Protocol Support Configuring Advanced Threat Protection Page DHCP Snooping Enabling DHCP Snooping authorized server: database: tftp://ip-addr/ascii-string option trust untrusted verify vlan Enabling DHCP Snooping on VLANS Figure 10-3.Example of DCHP Snooping on a VLAN Configuring DHCP Snooping Trusted Ports Figure 10-4.Example of Setting Trusted Ports Configuring Authorized Server Addresses Figure 10-5.Example of Authorized Servers for DHCP Snooping Using DHCP Snooping with Option mac: subnet-ip: subnet-ip untrusted drop: Figure 10-6.Example of DHCP Snooping Option 82 using the VLAN IP Address Figure 10-7.Example Showing the DHCP Snooping Verify MAC Setting The DHCP Binding Database file delay timeout Figure 10-8.Example Showing DHCP Snooping Binding Database Contents Enabling Debug Logging agent event packet Operational Notes Log Messages Server <ip-address>packet received on untrusted port <port-number dropped Client packet destined to untrusted port <port-number Unauthorized server <ip-address>detected on port Client address <mac-address>not equal to source MAC <mac-address detected on port Attempt to release address <ip-address>leased to port <port-number Lease table is full, DHCP lease was not added. The lease table is full Snooping table is full Dynamic ARP Protection Page Enabling Dynamic ARP Protection arp protect vlan vlan-range Configuring Trusted Ports Figure 10-9.Configuring Trusted Ports for Dynamic ARP Protection arp protect trust port-list c1-c3 Adding an IP-to-MACBinding to the DHCP Database ip source binding interface Configuring Additional Validation Checks on ARP Packets arp protect validate src-mac dst-mac Displaying ARP Packet Statistics show arp protect statistics Figure 10-11.Showarp protect statistics Command Monitoring Dynamic ARP Protection Figure 10-12.Exampleof debug arp protect Command Using the Instrumentation Monitor Figure 10-13.Exampleof Event Log Message generated by Instrumentation Monitor Figure 10-14.Exampleof rate limiting when multiple messages are generated Known Limitations: Configuring Instrumentation Monitor enabled [all] see parameter listings below [arp-requests] instrumentation monitor Viewing the Current Instrumentation Monitor Page Traffic/Security Filters and Monitors Applicable Switch Models Filter Limits Using Port Trunks with Filters Filter Types and Operation Table 11-1.Filter Types and Criteria Source-PortFilters Figure 11-1.Example of a Source-PortFilter Application trk1 trk2 trk Figure 11-2.Example of a Filter Blocking Traffic only from Port 5 to Server "A Figure 11-3.The Filter for the Actions Shown in Figure Named Source-PortFilters no filter named-filter <filter-name show filter web-only accounting Filter Name Port List NOT USED Action Figure 11-4.Network Configuration for Named Source-PortFilters Example Figure 11-6.Source Port Filters Applied to Switch Ports Figure 11-7.Example of the show filter Command IDX Value Figure 11-8.Example Showing Traffic Filtered on Specific Ports Figure 11-9.Example of Source Port Filtering with Internet Traffic Action Figure 11-12.Example of Removing a Source Port Filter Figure 11-13.Named Source-PortFilters Managing Traffic Static Multicast Filters max-vlans Table 11-2.Multicast Filter Limits Protocol Filters Configuring Traffic/Security Filters Configuring a Source-PortTraffic Filter Forward Trk1 trk6 Figure 11-14.Example of Switch Response to Adding a Filtered Source Port to a Trunk Editing a Source-PortFilter Figure 11-15.Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Table 11-3.Filter Example Figure 11-16.Configuring Various Traffic/Security Filters Filter Indexing show filter index Displaying Traffic/Security Filters Figure 11-17.Example of Displaying Filter Data Configuring Port-Basedand User-BasedAccess Control (802.1X) Page Why Use Port-Basedor User-BasedAccess Control General Features User Authentication Methods Page Page CHAP (MD5): User-Based Authentication: Guest VLAN: EAP Supplicant: General 802.1X Authenticator Operation Example of the Authentication Process VLAN Membership Priority Figure 12-1.Priority of VLAN Assignment for an Authenticated Client Page Error configuring port X: LACP and 802.1X cannot be run together Applying Web Authentication or MAC Authentication Concurrently Page General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation Figure 12-2.Example of the Password Port-AccessCommand Figure 12-3.Example of show port-accessconfig Command Output Page Overview: Configuring 802.1X Authentication on the Switch auto eap-radius chap-radius Configuring Switch Ports as 802.1X Authenticators Page User-Based802.1X Authentication Port-Based802.1X Authentication authenticator Figure 12-4.Example of Configuring User-Based802.1X Authentication Figure 12-5.Example of Configuring Port-Based802.1X Authentication 2. Reconfigure Settings for Port-Access unauthorized: quiet- period Page Page 3. Configure the 802.1X Authentication Method none or authorized Figure 12-6.Example of 802.1X (Port-Access)Authentication 4. Enter the RADIUS Host IP Address(es) 5. Enable 802.1X Authentication on the Switch 6. Optional: Reset Authenticator Operation aaa port- access authenticator control auto 7. Optional: Configure 802.1X Controlled Directions Prerequisite Page authenticator config Figure 12-7.Example of Configuring 802.1X Controlled Directions 802.1X Open VLAN Mode VLAN Membership Priorities 1st Priority: 2nd Priority: 3rd Priority: Use Models for 802.1X Open VLAN Modes Table 12-1.802.1X Open VLAN Mode Options 802.1X Per-PortConfiguration Port Response Note for a Port Configured To Allow Multiple Client Sessions: If any Page Only Unauthorized-Client Authorized-Client Operating Rules for Authorized-Clientand Unauthorized-ClientVLANs Table 12-2.Operating Rules for Client VLANs Condition Rule Page Page Page Setting Up and Configuring 802.1X Open VLAN Mode Page radius host rad4all 802.1X Open VLAN Operating Notes Option For Authenticator Ports: Configure Port-Security Devices Figure 12-8. Port-AccessSupport for Port-SecurityOperation Port-Security Configure the port access type Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Example Figure 12-9.Example of Supplicant Operation Page Supplicant Port Configuration (Syntax Continued) Enter secret: < password Repeat secret: < password Displaying 802.1X Configuration, Statistics, and Counters —Continued— Yes or No •Port COS: cos-value Figure 12-10.Example of show port-accessauthenticator Command authenticator Figure 12-11.Example of show port-accessauthenticator config Command Page Figure 12-12.Example of show port-accessauthenticator statistics Command in-progress terminated Figure 12-13.Example of show port-accessauthenticator session-countersCommand authenticator control Figure 12-14.Exampleof show port-accessauthenticator vlan Command n/a - no info Figure 12-15.Example of show port-accessauthenticator clients Command Output Page Viewing 802.1X Open VLAN Mode Status show port- access authenticator vlan Figure 12-17.Example Showing Ports Configured for Open VLAN Mode Auth VLAN ID Current VLAN ID Unauth VLAN ID Table 12-4.Rules of Access Control Table 12-5.Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) %Curr. Rate Limit Inbound Figure 12-18.Example of Showing a VLAN with Ports Configured for Open VLAN Mode Show Commands for Port-AccessSupplicant secret Connecting Authenticated Acquired How RADIUS/802.1X Authentication Affects VLAN Operation VLAN Assignment on a Port Page Example of Untagged VLAN Assignment in a RADIUS- Based Authentication Session Figure 12-19.Example of an Active VLAN Configuration show vlan Page Enabling the Use of GVRP-LearnedDynamic VLANs in Authentication Sessions unknown-vlans Messages Related to 802.1X Operation Table 12-6.802.1X Operating Messages Page Configuring and Monitoring Port Security Page Port Security (Page 4) MAC Lockdown (Page 13-22) MAC Lockout (Page Port Security Basic Operation Default Port Security Operation Intruder Protection Eavesdrop Protection Eavesdrop Protection Blocking Unauthorized Traffic Figure 13-1.Example of How Port Security Controls Access Trunk Group Exclusion Planning Port Security show log Port Security Command Options and Operation Port Security Commands Used in This Section Displaying Port Security Settings Listing Authorized and Detected MAC Addresses mac-address: port list: vlan < vid >: Figure 13-4.Examples of Show Mac-AddressOutputs Configuring Port Security continuous port-security MAC Age Interval show system information static: limited-continuous Page none: Retention of Static Addresses Learned Addresses mac-addr address-list ■Delete it by using no port-security< port-number > mac-address< mac-addr Figure 13-5.Example of Adding an Authorized Device to a Port Figure 13-6.Example of Adding a Second Authorized Device to a Port Figure 13-7.Example of Port Security on Port A1 with an Address Limit of “1” Figure 13-8.Example of Two Authorized Addresses on Port A1 Figure 13-9.Example of Port A1 After Removing One MAC Address MAC Lockdown How It Works Other Useful Information Differences Between MAC Lockdown and Port Security Page Deploying MAC Lockdown Figure 13-10.MAC Lockdown Deployed At the Network Edge Provides Security Page Figure 13-11.Connectivity Problems Using MAC Lockdown with Multiple Paths MAC Lockout Table 13-1.Limits on Lockout MACs Port Security and MAC Lockout Web: Displaying and Configuring Port Security Features Reading Intrusion Alerts and Resetting Alert Flags Notice of Security Violations –The show port-security intrusion-log command displays the Intrusion Log How the Intrusion Log Operates Figure 13-12.Example of Multiple Intrusion Log Entries for the Same Port Note on Send-Disable Operation 1.Status and Counters 4.Port Status Figure 13-13.Example of Port Status Screen with Intrusion Alert on Port A3 Figure 13-14.Example of the Intrusion Log Display prior to show interfaces brief intrusion-log Figure 13-17.Exampleof Port Status Screen After Alert Flags Reset Using the Event Log To Find Intrusion Alerts From the CLI search-text ffi security Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags Operating Notes for Port Security Page Using Authorized IP Managers Authorized IP Manager Features Options Access Levels Manager: Operator: Defining Authorized Management Stations Overview of IP Mask Operation Menu: Viewing and Configuring IP Authorized Managers 2.Switch Configuration … 6.IP Authorized Managers Figure 14-2.Example of Edit Menu for Authorized IP Managers CLI: Viewing and Configuring Authorized IP Managers show ip authorized-managers Figure 14-3.Example of show authorized-managersCommand Figure 14-4.Example of Configuring IP Authorized Manager To Delete an Authorized Manager Entry. This command uses the IP Web: Configuring IP Authorized Managers 2.Click on the Authorized Addresses button [Add] [Replace] Web-BasedHelp Building IP Masks Configuring One Station Per Authorized Manager IP Entry Table 14-1.Analysis of IP Mask for Single-StationEntries Configuring Multiple Stations Per Authorized Manager IP Entry Table 14-2.Analysis of IP Mask for Multiple-StationEntries Additional Examples for Authorizing Multiple Stations Duplicate IP Addresses: Web Proxy Servers: Page Key Management System Key Chain: Time-Independent Key: Time-Dependent Key Management System (KMS) Enabled Protocol: Configuring Key Chain Management Creating and Deleting Key Chain Entries Figure 15-1.Adding a New Key Chain Entry Assigning a Time-IndependentKey to a Chain send-lifetime infinite: Assigning Time-DependentKeys to a Chain start time period accept-lifetime Figure 15-3.Adding Time-DependentKeys to a Key Chain Entry Figure 15-4.Display of Time-DependentKeys in the Key Chain Entry key-chain Figure 15-5.Status of Keys in Key Chain Entry “Procurve2” Index Numerics