HP Switch 6120 Bedienungsanleitung

August 2009 ProCurve Series 6120 Switches Access Security Guide

ix7 Configuring Secure Socket Layer (SSL)Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-23Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access <port-list > controlled-directions <both | in>— Contin

3-24Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: [no] aaa port-access web-based <port-list>Enables web-based authentication o

3-25Web and MAC AuthenticationConfiguring Web AuthenticationFigure 6. Adding Web Servers with the aaa port-access web-based ews-server CommandSpecif

3-26Web and MAC AuthenticationConfiguring Web AuthenticationFigure 7. Removing a Web Server with the aaa port-access web-based ews-server CommandPro

3-27Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access web-based <port-list > [reauth-period <0 - 9999999>]Sp

3-28Web and MAC AuthenticationConfiguring Web AuthenticationShow Commands for Web AuthenticationCommand Pageshow port-access web-based [port-list] 3-2

3-29Web and MAC AuthenticationConfiguring Web AuthenticationFigure 4. Example of show port-access web-based Command OutputFigure 5. Example of show

3-30Web and MAC AuthenticationConfiguring Web AuthenticationFigure 6. Example of show port-access web-based clients detailed Command OutputSyntax: sh

3-31Web and MAC AuthenticationConfiguring Web AuthenticationFigure 7. Example of show port-access web-based config Command OutputSyntax: show port-ac

3-32Web and MAC AuthenticationConfiguring Web AuthenticationFigure 8. Example of show port-access web-based config detail Command OutputSyntax: show

xUsing DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9Changing the Remote-id from a MAC to an IP Address . .

3-33Web and MAC AuthenticationConfiguring Web AuthenticationFigure 9. Example of show port-access web-based config auth-server Command OutputSyntax:

3-34Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Customizing Web Authentication HTML Files (Optional)The Web Authenti

3-35Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions

3-36Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Customizable HTML TemplatesThe sample HTML files described in the fo

3-37Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional) Figure 9. HTML Code for User Login Page Template<!--ProCurve W

3-38Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Access Granted Page (accept.html). Figure 9-10. Access Granted Page

3-39Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 11. HTML Code for Access Granted Page Template<!--ProCur

3-40Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Authenticating Page (authen.html). Figure 12. Authenticating Pag

3-41Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Invalid Credentials Page (reject_unauthvlan.html). Figure 10. Inva

3-42Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 14. HTML Code for Invalid Credentials Page Template<!--P

xi9 Traffic/Security Filters and MonitorsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-43Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Timeout Page (timeout.html). Figure 15. Timeout PageThe timeout.h

3-44Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Retry Login Page (retry_login.html). Figure 17. Retry Login PageT

3-45Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 18. HTML Code for Retry Login Page Template<!--ProCurve

3-46Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)SSL Redirect Page (sslredirect.html). Figure 19. SSL Redirect Pag

3-47Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 20. HTML Code for SSL Redirect Page Template<!--ProCurve

3-48Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Access Denied Page (reject_novlan.html). Figure 11. Access Denied P

3-49Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 21. HTML Code for Access Denied Page Template<!--ProCurv

3-50Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguring MAC Authentication on the SwitchOverview1. If you have not alrea

3-51Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguration Commands for MAC AuthenticationCommand PageConfiguration Level

3-52Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: [no] aaa port-access mac-based < port-list >Enables MAC-based

xiiTerminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6General 802.1X Authenticator Op

3-53Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax:aaa port-access mac-based [e] < port-list > [logoff-period] <

3-54Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchShow Commands for MAC-Based AuthenticationSyntax: aaa port-access mac-based

3-55Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 3-22. Example of show port-access mac-based Command OutputFigure 4.

3-56Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 5. Example of show port-access mac-based clients detail Command Outp

3-57Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 6. Example of show port-access mac-based config Command OutputSyntax

3-58Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 7. Example of show port-access mac-based config detail Command Outpu

3-59Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 8. Example of show port-access mac-based config auth-server Command

3-60Web and MAC AuthenticationClient StatusClient StatusThe table below shows the possible client status information that may be reported by a Web-bas

4-14TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4-2TACACS+ AuthenticationOverviewOverviewTACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in

xiiiPort-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-46Configuring Switch Ports To Operate

4-3TACACS+ AuthenticationTerminology Used in TACACS Applications:TACACS+ server for authentication services. If the switch fails to connect to any TAC

4-4TACACS+ AuthenticationTerminology Used in TACACS Applications:face. (Using the menu interface you can assign a local password, but not a username.)

4-5TACACS+ AuthenticationGeneral System RequirementsGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+ serve

4-6TACACS+ AuthenticationGeneral Authentication Setup Procedureother access type (console, in this case) open in case the Telnet access fails due to a

4-7TACACS+ AuthenticationGeneral Authentication Setup ProcedureNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a sw

4-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha

4-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat

4-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ Server Contact ConfigurationThis command lists the tim

4-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures ac

4-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAuthentication ParametersTable 4-1. AAA Authentication ParametersSyntax: aaa authentication

xivDeploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26MAC Lockout . . . . . . . . . . . . . . . . . . .

4-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the TACACS+ Server for Single LoginIn order for the single login feature to wor

4-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User SetupThen scroll d

4-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-5. The Shell Section of the TACACS+ Server User SetupAs shown in the next table, l

4-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log

4-17TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th

4-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa

4-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr

4-20TACACS+ AuthenticationConfiguring TACACS+ on the SwitchSpecifies the IP address of a device running a TACACS+ server application. Optionally, can

4-21TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was

4-22TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-7. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov

xvBuilding IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10Configuring One Station Per Authorize

4-23TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTo delete a per-server encryption key in the switch, re-enter the tacacs-server host comman

4-24TACACS+ AuthenticationHow Authentication OperatesHow Authentication OperatesGeneral Authentication Process Using a TACACS+ ServerAuthentication th

4-25TACACS+ AuthenticationHow Authentication Operates4. When the requesting terminal responds to the prompt with a password, the switch forwards it to

4-26TACACS+ AuthenticationHow Authentication OperatesLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to local aut

4-27TACACS+ AuthenticationHow Authentication OperatesUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “key”, “

4-28TACACS+ AuthenticationControlling Web Browser Interface Access When Using TACACS+ AuthenticationFor example, you would use the next command to con

4-29TACACS+ AuthenticationMessages Related to TACACS+ OperationMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below

4-30TACACS+ AuthenticationOperating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acce

5-15RADIUS Authentication, Authorization, and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5-2RADIUS Authentication, Authorization, and AccountingContentsExample Configuration on Cisco Secure ACS for MS Windows 5-30Example Configuration Usi

xvi

5-3RADIUS Authentication, Authorization, and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to th

5-4RADIUS Authentication, Authorization, and AccountingOverviewNote The switch does not support RADIUS security for SNMP (network manage-ment) access.

5-5RADIUS Authentication, Authorization, and AccountingTerminologyTerminologyAAA: Authentication, Authorization, and Accounting groups of services pro

5-6RADIUS Authentication, Authorization, and AccountingSwitch Operating Rules for RADIUSVendor-Specific Attribute: A vendor-defined value configured i

5-7RADIUS Authentication, Authorization, and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to thr

5-8RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authenticatio

5-9RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS Aut

5-10RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authentication• Timeout Period: The timeout period the switc

5-11RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authenticationure local for the secondary method. This preve

5-12RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-2 shows an example of the show authen

xviiProduct DocumentationAbout Your Switch Manual SetNote For the latest version of switch documentation, please visit any of the follow-ing websites:

5-13RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authentication Figure 5-3. Example Configuration for RADIUS

5-14RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authenticationthis default behavior for clients with Enable

5-15RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationNote If you want to configure RADIUS accountin

5-16RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the s

5-17RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-4. Sample Configuration for RADIUS Se

5-18RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authentication Global server key: The server key the switch

5-19RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationNote Where the switch has multiple RADIUS serv

5-20RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-7. Listings of Global RADIUS Paramete

5-21RADIUS Authentication, Authorization, and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesUsing SNMP To View and Configur

5-22RADIUS Authentication, Authorization, and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesChanging and Viewing the SNMP A

xviiiSoftware Feature IndexThis feature index indicates which manual to consult for information on a given software feature.Note This Index does not c

5-23RADIUS Authentication, Authorization, and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesAn alternate method of determin

5-24RADIUS Authentication, Authorization, and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use R

5-25RADIUS Authentication, Authorization, and AccountingControlling Web Browser Interface AccessControlling Web Browser Interface AccessTo help preven

5-26RADIUS Authentication, Authorization, and AccountingCommands AuthorizationCommands AuthorizationThe RADIUS protocol combines user authentication a

5-27RADIUS Authentication, Authorization, and AccountingCommands AuthorizationEnabling Authorization To configure authorization for controlling access

5-28RADIUS Authentication, Authorization, and AccountingCommands AuthorizationDisplaying Authorization InformationYou can show the authorization infor

5-29RADIUS Authentication, Authorization, and AccountingCommands AuthorizationThe results of using the HP-Command-String and HP-Command-Exception attr

5-30RADIUS Authentication, Authorization, and AccountingCommands AuthorizationExample Configuration on Cisco Secure ACS for MS WindowsIt is necessary

5-31RADIUS Authentication, Authorization, and AccountingCommands AuthorizationProfile=IN OUTEnums=Hp-Command-Exception-Types[Hp-Command-Exception-Type

5-32RADIUS Authentication, Authorization, and AccountingCommands Authorization6. Right click and then select New > key. Add the vendor Id number th

Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551www.procurve.com© Copyright 2009 Hewlett-Packard Development

xixDownloading Software XEvent Log XFactory Default Settings XFlow Control (802.3x) XFile Transfers XFriendly Port Names XGVRP XIdentity-Driven Manage

5-33RADIUS Authentication, Authorization, and AccountingCommands Authorization2. Find the location of the dictionary files used by FreeRADIUS (try /us

5-34RADIUS Authentication, Authorization, and AccountingVLAN Assignment in an Authentication SessionVLAN Assignment in an Authentication SessionA swit

5-35RADIUS Authentication, Authorization, and AccountingVLAN Assignment in an Authentication SessionTagged and Untagged VLAN AttributesWhen you config

5-36RADIUS Authentication, Authorization, and AccountingVLAN Assignment in an Authentication SessionAdditional RADIUS AttributesThe following attribut

5-37RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingConfiguring RADIUS AccountingNote This section assumes you have a

5-38RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Accounting Exec accounting: Provides records holding the information liste

5-39RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingOperating Rules for RADIUS Accounting You can configure up to fo

5-40RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Accountingmust match the encryption key used on the specified RADIUS server

5-41RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Accounting(For a more complete description of the radius-server command and

5-42RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingFor example, suppose you want to the switch to use the RADIUS ser

xxPort Monitoring XPort Security XPort Status XPort Trunking (LACP) XPort-Based Access Control (802.1X) XProtocol VLANS XQuality of Service (QoS) XRAD

5-43RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingNote that there is no time span associated with using the system

5-44RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingFor example, to configure RADIUS accounting on the switch with st

5-45RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingTo continue the example in figure 5-12, suppose that you wanted t

5-46RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 5-14. Exampl

5-47RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsFigure 5-15. RADIUS Server Information From the Show Radius Host Comm

5-48RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 5-16. Example of Login Attempt

5-49RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsFigure 5-17. Example of RADIUS Authentication Information from a Spec

5-50RADIUS Authentication, Authorization, and AccountingChanging RADIUS-Server Access OrderFigure 5-19. Example of RADIUS Accounting Information for a

5-51RADIUS Authentication, Authorization, and AccountingChanging RADIUS-Server Access OrderFigure 5-21. Search Order for Accessing a RADIUS ServerTo e

5-52RADIUS Authentication, Authorization, and AccountingChanging RADIUS-Server Access OrderFigure 5-22. Example of New RADIUS Server Search OrderRemov

xxiVLANs XWeb Authentication RADIUS Support XWeb-based Authentication XWeb UI XIntelligent Edge SoftwareFeaturesManualManagementandConfigurationAdvanc

5-53RADIUS Authentication, Authorization, and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t r

6-16Configuring Secure Shell (SSH)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6-2Configuring Secure Shell (SSH)OverviewOverviewThe switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to man

6-3Configuring Secure Shell (SSH)TerminologyNote SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, v

6-4Configuring Secure Shell (SSH)Terminology Enable Level: Manager privileges on the switch. Login Level: Operator privileges on the switch. Local

6-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ

6-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSHfor Switch

6-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera

6-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex

6-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH OperationSSH-Related Commands in This Section

1-1Security OverviewContents1Security OverviewContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6-10Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation1. Assigning a Local Login (Operator) and Enable (Manager) PasswordAt a mini

6-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote When you generate a host key pair on the switch, the switch places the

6-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 6-5. Example of Genera

6-13Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes "Zeroizing" the switch’s key automatically disables SSH (set

6-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation(The generated public key on the switch is always 896 bits.)With a direct se

6-15Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation Non-encoded ASCII numeric string: Requires a client ability to display the

6-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote Before enabling SSH on the switch you must generate the switch’s public

6-17Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationTo disable SSH on the switch, do either of the following: Execute no ip ssh

6-18Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation[mac <mac-type>]Allows configuration of the set of MACs that can be se

6-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote on Port NumberProCurve recommends using the default TCP port number (22

1-2Security OverviewIntroductionIntroductionThis chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3

6-20Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationaccess to the serial port (and the Clear button, which removes local passwor

6-21Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.

6-22Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, assume that you have a client public-key file named Client-Keys

6-23Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-11. Configuring for SSH Access Requiring a Client Public-Key Match

6-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication6. Use an SSH Client To Access the SwitchTest the SSH con

6-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication1. The client sends its public key to the switch with a r

6-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationTo Create a Client-Public-Key Text File. These steps des

6-27Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication2. Copy the client’s public key into a text file (filena

6-28Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNote copy usb pub-key file can also be used as a method f

6-29Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi

1-3Security OverviewAccess Security FeaturesAccess Security FeaturesThis section provides an overview of the switch’s access security features, authen

6-30Configuring Secure Shell (SSH)Messages Related to SSH OperationCaution To enable client public-key authentication to block SSH clients whose publi

6-31Configuring Secure Shell (SSH)Messages Related to SSH OperationLogging MessagesThere are event log messages when a new key is generated and zeroiz

6-32Configuring Secure Shell (SSH)Messages Related to SSH OperationDebug LoggingTo add ssh messages to the debug log output, enter this command:ProCur

7-17Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for

7-3Configuring Secure Socket Layer (SSL)TerminologyFigure 7-1. Switch/User AuthenticationSSL on the switches covered in this guide supports these data

7-4Configuring Secure Socket Layer (SSL)Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-

7-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install

7-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi

7-7Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationConfiguring the Switch for SSL Operation1. Assigning a Local Login (Op

1-4Security OverviewAccess Security FeaturesTelnet andWeb-browser accessenabled The default remote management protocols enabled on the switch are plai

7-8Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 7-2. Example of Configuring Local Passwords1. Proceed to the

7-9Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operationto connect via SSL to the switch. (The session key pair mentioned abov

7-10Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationCLI commands used to generate a Server Host Certificate. To generate

7-11Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTable 7-1. Certificate Field Descriptions For example, to generate a

7-12Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationCLI Command to view host certificates. To view the current host cert

7-13Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTo generate a self signed host certificate from the web browser inter

7-14Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFor example, to generate a new host certificate via the web browsers

7-15Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-6. Web browser Interface showing current SSL Host Certificat

7-16Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationThe installation of a CA-signed certificate involves interaction with

7-17Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 7-7. Request for Verified Host Certificate Web Browser Interf

1-5Security OverviewAccess Security FeaturesSSL disabled Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser acces

7-18Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNote Before enabling SSL on the switch you must generate the switch’s

7-19Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the CLI Interface to Enable SSLTo enable SSL on the switch1. Ge

7-20Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-8. Using the web browser interface to enable SSL and select

7-21Configuring Secure Socket Layer (SSL)Common Errors in SSL setup

8-18Configuring Advanced Threat ProtectionContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8-2Configuring Advanced Threat ProtectionContentsOperating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8-3Configuring Advanced Threat ProtectionIntroductionIntroductionAs your network expands to include an increasing number of mobile devices, continuous

8-4Configuring Advanced Threat ProtectionDHCP Snooping• Attempts to exhaust system resources so that sufficient resources are not available to transmi

8-5Configuring Advanced Threat ProtectionDHCP SnoopingDHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected t

8-6Configuring Advanced Threat ProtectionDHCP SnoopingTo display the DHCP snooping configuration, enter this command:ProCurve(config)# show dhcp-snoop

1-6Security OverviewAccess Security Features802.1X Access Controlnone This feature provides port-based or user-based authentication through a RADIUS s

8-7Configuring Advanced Threat ProtectionDHCP SnoopingFigure 8-2. Example of Show DHCP Snooping StatisticsEnabling DHCP Snooping on VLANSDHCP snooping

8-8Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring DHCP Snooping Trusted PortsBy default, all ports are untrusted. To configure a port

8-9Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring Authorized Server AddressesIf authorized server addresses are configured, a packet f

8-10Configuring Advanced Threat ProtectionDHCP SnoopingNote DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, n

8-11Configuring Advanced Threat ProtectionDHCP SnoopingChanging the Remote-id from a MAC to an IP AddressBy default, DHCP snooping uses the MAC addres

8-12Configuring Advanced Threat ProtectionDHCP SnoopingFigure 8-7. Example Showing the DHCP Snooping Verify MAC SettingThe DHCP Binding DatabaseDHCP s

8-13Configuring Advanced Threat ProtectionDHCP SnoopingA message is logged in the system event log if the DHCP binding database fails to update.To dis

8-14Configuring Advanced Threat ProtectionDHCP Snooping ProCurve recommends running a time synchronization protocol such as SNTP in order to track le

8-15Configuring Advanced Threat ProtectionDHCP SnoopingCeasing untrusted relay information logs for <duration>. More than one DHCP client packe

8-16Configuring Advanced Threat ProtectionDynamic ARP ProtectionDynamic ARP ProtectionIntroductionOn the VLAN interfaces of a routing switch, dynamic

1-7Security OverviewNetwork Security FeaturesNetwork Security FeaturesThis section outlines features and defence mechanisms for protecting access thro

8-17Configuring Advanced Threat ProtectionDynamic ARP Protection• If a binding is valid, the switch updates its local ARP cache and forwards the packe

8-18Configuring Advanced Threat ProtectionDynamic ARP ProtectionEnabling Dynamic ARP ProtectionTo enable dynamic ARP protection for VLAN traffic on a

8-19Configuring Advanced Threat ProtectionDynamic ARP ProtectionFigure 8-9. Configuring Trusted Ports for Dynamic ARP ProtectionTake into account the

8-20Configuring Advanced Threat ProtectionDynamic ARP ProtectionAdding an IP-to-MAC Binding to the DHCP DatabaseA routing switch maintains a DHCP bind

8-21Configuring Advanced Threat ProtectionDynamic ARP ProtectionConfiguring Additional Validation Checks on ARP PacketsDynamic ARP protection can be c

8-22Configuring Advanced Threat ProtectionDynamic ARP ProtectionFigure 8-1. The show arp-protect CommandDisplaying ARP Packet StatisticsTo display sta

8-23Configuring Advanced Threat ProtectionDynamic IP LockdownMonitoring Dynamic ARP ProtectionWhen dynamic ARP protection is enabled, you can monitor

8-24Configuring Advanced Threat ProtectionDynamic IP LockdownProtection Against IP Source Address SpoofingMany network attacks occur when an attacker

8-25Configuring Advanced Threat ProtectionDynamic IP Lockdown The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports c

8-26Configuring Advanced Threat ProtectionDynamic IP LockdownAssuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown

ii

1-8Security OverviewNetwork Security FeaturesConnection-Rate Filtering based on Virus-Throttling Technology none This feature helps protect the networ

8-27Configuring Advanced Threat ProtectionDynamic IP Lockdown• Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. I

8-28Configuring Advanced Threat ProtectionDynamic IP LockdownAdding an IP-to-MAC Binding to the DHCP Binding DatabaseA switch maintains a DHCP binding

8-29Configuring Advanced Threat ProtectionDynamic IP LockdownAdding a Static BindingTo add the static configuration of an IP-to-MAC binding for a port

8-30Configuring Advanced Threat ProtectionDynamic IP LockdownAn example of the show ip source-lockdown status command output is shown in Figure 8-5. N

8-31Configuring Advanced Threat ProtectionDynamic IP LockdownFigure 8-6. Example of show ip source-lockdown bindings Command OutputIn the show ip sour

8-32Configuring Advanced Threat ProtectionDynamic IP LockdownFigure 8-7. Example of debug dynamic-ip-lockdown Command OutputProCurve(config)# debug dy

8-33Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorUsing the Instrumentation MonitorThe instrumentation monitor can be used to

8-34Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorOperating Notes To generate alerts for monitored events, you must enable t

8-35Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorConfiguring Instrumentation MonitorThe following commands and parameters ar

8-36Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorTo enable instrumentation monitor using the default parameters and thresh-o

1-9Security OverviewGetting Started with Access SecurityGetting Started with Access SecurityProCurve switches are designed as “plug and play” devices,

8-37Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorViewing the Current Instrumentation Monitor ConfigurationThe show instrumen

9-19Traffic/Security Filters and MonitorsContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9-2Traffic/Security Filters and MonitorsOverviewOverviewSource-port filters are available on the HP ProCurve switch models covered in this guide.Intro

9-3Traffic/Security Filters and MonitorsFilter Types and OperationFilter Types and OperationTable 9-1. Filter Types and CriteriaStatic Filter TypeSele

9-4Traffic/Security Filters and MonitorsFilter Types and OperationSource-Port FiltersThis filter type enables the switch to forward or drop traffic fr

9-5Traffic/Security Filters and MonitorsFilter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the sw

9-6Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-3. The Filter for the Actions Shown in Figure 9-2Named Source-Port FiltersY

9-7Traffic/Security Filters and MonitorsFilter Types and Operation A named source-port filter can only be deleted when it is not applied to any ports

9-8Traffic/Security Filters and MonitorsFilter Types and OperationA named source-port filter must first be defined and configured before it can be app

9-9Traffic/Security Filters and MonitorsFilter Types and OperationUsing Named Source-Port FiltersA company wants to manage traffic to the Internet and

1-10Security OverviewGetting Started with Access SecurityKeeping the switch in a locked wiring closet or other secure space helps to prevent unauthori

9-10Traffic/Security Filters and MonitorsFilter Types and Operation Figure 9-5. Applying Example Named Source-Port FiltersOnce the named source-port f

9-11Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-7. Example of the show filter CommandUsing the IDX value in the show filte

9-12Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-8. Example Showing Traffic Filtered on Specific PortsThe same command, usi

9-13Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-9. Example of Source Port Filtering with Internet TrafficAs the company gr

9-14Traffic/Security Filters and MonitorsFilter Types and OperationThe following revisions to the named source-port filter definitions maintain the de

9-15Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 9-12. Named Source-Port Filters Managing TrafficConfiguring Traffi

9-16Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersConfiguring a Source-Port Traffic FilterSyntax: [no] filter [source-port

9-17Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersExample of Creating a Source-Port FilterFor example, assume that you want

9-18Traffic/Security Filters and MonitorsConfiguring Traffic/Security Filtersfilter on port 5, then create a trunk with ports 5 and 6, and display the

9-19Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 9-14. Assigning Additional Destination Ports to an Existing Filter

1-11Security OverviewGetting Started with Access SecurityThe welcome banner appears and the first setup option is displayed (Operator password). As yo

9-20Traffic/Security Filters and MonitorsConfiguring Traffic/Security Filtersnew filter will receive the index number “2” and the second new filter wi

10-110Configuring Port-Based andUser-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10-2Configuring Port-Based and User-Based Access Control (802.1X)Contents3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . .

10-3Configuring Port-Based and User-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based or User-Based Access Control?Local Area Networks a

10-4Configuring Port-Based and User-Based Access Control (802.1X)Overview• Port-Based access control option allowing authentication by a single client

10-5Configuring Port-Based and User-Based Access Control (802.1X)OverviewThis operation improves security by opening a given port only to individually

10-6Configuring Port-Based and User-Based Access Control (802.1X)TerminologyThis operation unblocks the port while an authenticated client session is

10-7Configuring Port-Based and User-Based Access Control (802.1X)Terminologya port loses its authenticated client connection, it drops its membership

10-8Configuring Port-Based and User-Based Access Control (802.1X)TerminologyStatic VLAN: A VLAN that has been configured as “permanent” on the switch

10-9Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationGeneral 802.1X Authenticator OperationThis oper

1-12Security OverviewGetting Started with Access Security2. When you enter the wizard, you have the following options:• To update a setting, type in a

10-10Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationNote The switches covered in this guide can us

10-11Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationFigure 10-1. Priority of VLAN Assignment for a

10-12Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and NotesGeneral Operating Rules and Notes In the user-base

10-13Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and Notes If a port on switch “A” is configured as an 802.1

10-14Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlGeneral Setup Procedure for 802.1X

10-15Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlFigure 10-2. Example of the Passwor

10-16Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access Control3. Determine whether to use user-ba

10-17Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlOverview: Configuring 802.1X Authen

10-18Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsNote If you want to implement the o

10-19Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators1. Enable 802.1X Authentication on

1-13Security OverviewGetting Started with Access SecurityThe Welcome window appears.Figure 1-2. Management Interface Wizard: Welcome WindowThis page a

10-20Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsB. Specify User-Based Authenticatio

10-21Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsExample: Configuring User-Based 802

10-22Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[quiet-period < 0 - 65535 >]S

10-23Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[reauth-period < 0 - 9999999 >

10-24Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authenticat

10-25Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators4. Enter the RADIUS Host IP Address

10-26Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators6. Optional: Reset Authenticator Op

10-27Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators The 802.1s Multiple Spanning Tree

10-28Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsBecause a port can be configured fo

10-29Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN Mode802.1X Open VLAN ModeIntroductionThis section describes how to

1-14Security OverviewGetting Started with Access Security4. The summary setup screen displays the current configuration settings for all setup options

10-30Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote On ports configured to allow multiple sessions using 802.1

10-31Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote After client authentication, the port resumes membership i

10-32Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeTable 10-2. 802.1X Open VLAN Mode Options802.1X Per-Port Config

10-33Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeAuthorized-Client VLAN • After client authentication, the port

10-34Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configured

10-35Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Authorized-Client VLAN Configured:•

10-36Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client andUnauthorized-Client VL

10-37Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of Unauthorized-Client VLAN session on untagged port VLA

10-38Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of RADIUS-assigned VLANThis rule assumes no other authen

10-39Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote If you use the same VLAN as the Unauthorized-Client VLAN f

1-15Security OverviewGetting Started with Access SecuritySNMP Security GuidelinesIn the default configuration, the switch is open to access by managem

10-40Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeSetting Up and Configuring 802.1X Open VLAN ModePreparation. Th

10-41Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote that as an alternative, you can configure the switch to us

10-42Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN Mode3. If you selected either eap-radius or chap-radius for step 2,

10-43Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeConfiguring 802.1X Open VLAN Mode. Use these commands to actual

10-44Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information an

10-45Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent

10-46Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent

10-47Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

10-48Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

10-49Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

1-16Security OverviewGetting Started with Access SecurityIf SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then yo

10-50Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S

10-51Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configura

10-52Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersSyntax: show port-access a

10-53Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-10.Example of sho

10-54Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersTable 10-3. Field Descripti

10-55Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-12.Example of sho

10-56Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-13.Example of sho

10-57Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-14.Example of sho

10-58Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-15. Example of s

10-59Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-16. Example of sh

1-17Security OverviewPrecedence of Security OptionsPrecedence of Security OptionsThis section explains how port-based security options, and client-bas

10-60Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN Mo

10-61Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersThus, in the output shown i

10-62Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersTable 10-3. Output for Dete

10-63Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-18.Example of Sho

10-64Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Acce

10-65Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another wi

10-66Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationNote You can use 802.1X (port

10-67Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operation• If the port is assigned as

10-68Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationIf this temporary VLAN assign

10-69Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a R

iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiPrinted Publications. . . . .

1-18Security OverviewPrecedence of Security Optionsvalue applied to a client session is determined in the following order (from highest to lowest prio

10-70Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 10-20.The Active Confi

10-71Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s sess

10-72Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationNote Any port VLAN-ID changes

10-73Configuring Port-Based and User-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 10-4.

11-111Configuring and Monitoring Port SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11-2Configuring and Monitoring Port Security ContentsWeb: Checking for Intrusions, Listing IntrusionAlerts, and Resetting Alert Flags . . . . . .

11-3Configuring and Monitoring Port SecurityOverviewOverviewPort Security (Page 11-4). This feature enables you to configure each switch port with a

11-4Configuring and Monitoring Port Security Port SecurityPort SecurityBasic OperationDefault Port Security Operation. The default port security s

11-5Configuring and Monitoring Port SecurityPort Security• Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the

11-6Configuring and Monitoring Port Security Port Securityconfiguration to ports on which hubs, switches, or other devices are connected, and to m

1-19Security OverviewPrecedence of Security OptionsThe profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrPr

11-7Configuring and Monitoring Port SecurityPort SecurityPlanning Port Security1. Plan your port security configuration and monitoring according to th

11-8Configuring and Monitoring Port Security Port SecurityPort Security Command Options and OperationPort Security Commands Used in This SectionTh

11-9Configuring and Monitoring Port SecurityPort SecurityDisplaying Port Security Settings. Figure 11-2. Example Port Security Listing (Ports A7 and

11-10Configuring and Monitoring Port Security Port SecurityFigure 11-3. Example of the Port Security Configuration Display for a Single PortThe n

11-11Configuring and Monitoring Port SecurityPort SecurityFigure 11-4. Examples of Show Mac-Address Outputs

11-12Configuring and Monitoring Port Security Port SecurityConfiguring Port SecurityUsing the CLI, you can: Configure port security and edit secu

11-13Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | config

11-14Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | c

11-15Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)Addresses learned this way appear in the switch and port ad

11-16Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)mac-address [<mac-addr>] [<mac-addr>] . .

1-20Security OverviewPrecedence of Security OptionsClient-specific configurations are applied on a per-parameter basis on a port. In a client-specific

11-17Configuring and Monitoring Port SecurityPort SecurityRetention of Static AddressesStatic MAC addresses do not age-out. MAC addresses learned by u

11-18Configuring and Monitoring Port Security Port Security Delete it by using no port-security < port-number > mac-address < mac-addr &

11-19Configuring and Monitoring Port SecurityPort SecurityAdding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s exis

11-20Configuring and Monitoring Port Security Port Security(The message Inconsistent value appears if the new MAC address exceeds the current Addr

11-21Configuring and Monitoring Port SecurityPort SecurityRemoving a Device From the “Authorized” List for a Port. This command option removes unwante

11-22Configuring and Monitoring Port Security MAC LockdownThe following command serves this purpose by removing 0c0090-123456 and reducing the Add

11-23Configuring and Monitoring Port SecurityMAC LockdownYou will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If yo

11-24Configuring and Monitoring Port Security MAC LockdownOther Useful Information. Once you lock down a MAC address/VLAN pair on one port that pa

11-25Configuring and Monitoring Port SecurityMAC LockdownMAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safe

11-26Configuring and Monitoring Port Security MAC LockoutDeploying MAC LockdownWhen you deploy MAC Lockdown you need to consider how you use it wi

1-21Security OverviewProCurve Identity-Driven Manager (IDM)ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+)

11-27Configuring and Monitoring Port SecurityMAC LockoutTo use MAC Lockout you must first know the MAC Address you wish to block.How It Works. Let’s s

11-28Configuring and Monitoring Port Security MAC LockoutMAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti-cation.You cannot

11-29Configuring and Monitoring Port SecurityMAC LockoutPort Security and MAC LockoutMAC Lockout is independent of port-security and in fact will over

11-30Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security FeaturesWeb: Displaying and Configuring Port Security

11-31Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion thro

11-32Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsThe log shows the most recent intrusion at the top

11-33Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsMenu: Checking for Intrusions, Listing Intrusion Alerts

11-34Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags• Because the Port Status screen (figure 11-12 on

11-35Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsIn the following example, executing show interfaces bri

11-36Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsTo clear the intrusion from port A1 and enable the

2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11-37Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 11-17.Example of Log Listing With and Without De

11-38Configuring and Monitoring Port Security Operating Notes for Port SecurityOperating Notes for Port SecurityIdentifying the IP Address of an I

11-39Configuring and Monitoring Port SecurityOperating Notes for Port SecurityProCurve(config)# port-security e a17 learn-mode static address-limit 2L

12-112Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter

12-3Using Authorized IP ManagersOptionsOptionsYou can configure: Up to 10 authorized manager addresses, where each address applies to either a single

12-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table

12-5Using Authorized IP ManagersDefining Authorized Management Stationsrized Manager IP address to authorize four IP addresses for management station

12-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 12-2. Example of How To Add an Authorized Manager Entry (Continued)Editi

12-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 12-3.Example of the Show IP Authorized-Manager DisplayThe above example

2-2Configuring Username and Password SecurityContentsRe-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation . . . . . .

12-8Using Authorized IP ManagersDefining Authorized Management StationsIf you omit the < mask bits > when adding a new authorized manager, the s

12-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con

12-10Using Authorized IP ManagersBuilding IP MasksUsing a Web Proxy Server to Access the Web Browser InterfaceCaution This is NOT recommended. Using a

12-11Using Authorized IP ManagersBuilding IP MasksFigure 12-5. Analysis of IP Mask for Single-Station EntriesConfiguring Multiple Stations Per Authori

12-12Using Authorized IP ManagersBuilding IP MasksFigure 12-6. Analysis of IP Mask for Multiple-Station Entries Figure 12-7. Example of How the Bitmap

12-13Using Authorized IP ManagersOperating NotesAdditional Examples for Authorizing Multiple StationsOperating Notes Network Security Precautions: Yo

12-14Using Authorized IP ManagersOperating Notes• Even if you need proxy server access enabled in order to use other applications, you can still elimi

Index – 1IndexNumerics3DES …7-3802.1X access controlauthenticate users … 10-5authentication methods … 10-4authentication, local … 10-6authentication,

2 – Indexpassword for port-access … 2-11, 2-21port, supplicant … 10-16port-basedaccess … 10-4client without authentication … 10-5effect of Web/MAC aut

Index – 3ports … 10-39untagged … 10-30, 10-33, 10-34untagged membership … 10-20VLAN operation … 10-65VLAN use, multiple clients … 10-7VLAN, assignment

2-3Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons

4 – Indexroot … 7-4self-signed … 7-3CHAP …5-11chap-radius …5-11cipher,SSH …6-17Clear buttonto delete password protection … 2-7configurationfilters … 9

Index – 5bpdu protection, none …1-8SSH, disabled … 1-4, 6-2SSL, disabled … 1-5, 7-2TACACS+authentication configuration … 4-9authentication, disabled …

6 – IndexEEavesdrop Protection … 11-4encryption keyRADIUS … 2-11, 2-15TACACS … 2-11, 2-15event logalerts for monitored events … 8-34intrusion alerts …

Index – 7authenticator operation … 3-6blocked traffic … 3-3CHAPdefined … 3-11usage … 3-3client status … 3-60concurrent with Web … 3-4configuration com

8 – Indextracking client authentication failures … 8-33Web authentication … 10-4Web/MAC … 10-20See also 802.1X access control.port scan, detecting …8-

Index – 9server access order, changing … 5-50servers, multiple … 5-19service type value … 5-8service-type value … 5-14service-type value, null … 5-14s

10 – IndexOption 82 … 8-6, 8-9statistics … 8-6untrusted-policy … 8-10verify … 8-6source port filtersconfiguring … 9-4named … 9-6operating rules … 9-4S

Index – 11prerequisites … 7-5remove self-signed certificate … 7-9remove server host certificate … 7-9reserved TCP port numbers … 7-20root … 7-4root ce

12 – IndexUuntrusted policy, snooping …8-10user namecleared … 2-7SNMP configuration … 2-3Vvendor-specific attributeconfiguring support for HP VSAs … 5

ProCurve 5400zl i and *5992-5525*Technology for better business outcomes To learn more, visit www.hp.com/go/bladesystem/documentation/© Copy

2-4Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if

2-5Configuring Username and Password SecurityOverviewNotes The manager and operator passwords and (optional) usernames control access to the menu inte

2-6Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear

iv2 Configuring Username and Password SecurityContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2-7Configuring Username and Password SecurityConfiguring Local Password SecurityTo Delete Password Protection (Including Recovery from a Lost Password

2-8Configuring Username and Password SecurityConfiguring Local Password SecurityCLI: Setting Passwords and UsernamesCommands Used in This SectionConfi

2-9Configuring Username and Password SecurityConfiguring Local Password SecurityIf you want to remove both operator and manager password protection, u

2-10Configuring Username and Password SecuritySaving Security Credentials in a Config FileSaving Security Credentials in a Config FileYou can store an

2-11Configuring Username and Password SecuritySaving Security Credentials in a Config File The chapter on “Switch Memory and Configuration” in the Ma

2-12Configuring Username and Password SecuritySaving Security Credentials in a Config FileLocal Manager and Operator PasswordsThe information saved to

2-13Configuring Username and Password SecuritySaving Security Credentials in a Config FileYou can enter a manager, operator, or 802.1X port-access pas

2-14Configuring Username and Password SecuritySaving Security Credentials in a Config File[priv <priv-pass>] is the (optional) hashed privacy pa

2-15Configuring Username and Password SecuritySaving Security Credentials in a Config FileThe password port-access values are configured separately fr

2-16Configuring Username and Password SecuritySaving Security Credentials in a Config Fileduring authentication sessions. Both the switch and the serv

vPassword Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-343 Web and MAC AuthenticationContents . . . . . . .

2-17Configuring Username and Password SecuritySaving Security Credentials in a Config FileNote The ip ssh public-key command allows you to configure o

2-18Configuring Username and Password SecuritySaving Security Credentials in a Config FileTo display the SSH public-key configurations (72 characters

2-19Configuring Username and Password SecuritySaving Security Credentials in a Config FileOperating NotesCaution When you first enter the include-cr

2-20Configuring Username and Password SecuritySaving Security Credentials in a Config File• copy config <source-filename> config <target-file

2-21Configuring Username and Password SecuritySaving Security Credentials in a Config FileRestrictionsThe following restrictions apply when you enable

2-22Configuring Username and Password SecuritySaving Security Credentials in a Config Filethe username and password used as 802.1X authentication cred

2-23Configuring Username and Password SecurityFront-Panel SecurityFront-Panel SecurityThe front-panel security features provide the ability to indepen

2-24Configuring Username and Password SecurityFront-Panel SecurityAs a result of increased security concerns, customers now have the ability to stop s

2-25Configuring Username and Password SecurityFront-Panel SecurityClear ButtonPressing the Clear button alone for five seconds resets the password(s)

2-26Configuring Username and Password SecurityFront-Panel Security2. While holding the Reset button, press and hold the Clear button for five seconds.

viClient Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-604 TACACS+ AuthenticationContents

2-27Configuring Username and Password SecurityFront-Panel SecurityConfiguring Front-Panel SecurityUsing the front-panel-security command from the glob

2-28Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch

2-29Configuring Username and Password SecurityFront-Panel SecurityDisabling the Clear Password Function of the Clear ButtonThis command displays a Cau

2-30Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” OperationF

2-31Configuring Username and Password SecurityFront-Panel SecurityFigure 2-12. Example of Re-Enabling the Clear Button’s Default OperationChanging the

2-32Configuring Username and Password SecurityPassword RecoveryFigure 2-13. Example of Disabling the Factory Reset OptionPassword RecoveryThe password

2-33Configuring Username and Password SecurityPassword Recoveryfactory-default configuration. This can disrupt network operation and make it necessary

2-34Configuring Username and Password SecurityPassword RecoveryFigure 2-14. Example of the Steps for Disabling Password-RecoveryPassword Recovery Proc

3-13Web and MAC AuthenticationContents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3-2Web and MAC AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50

viiAuthentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3Accounting Services . . . . . . . . . . .

3-3Web and MAC AuthenticationOverviewOverviewWeb and MAC authentication are designed for employment on the “edge” of a network to provide port-based s

3-4Web and MAC AuthenticationOverviewNote A proxy server is not supported for use by a browser on a client device that accesses the network through a

3-5Web and MAC AuthenticationOverview Each new Web/MAC Auth client always initiates a MAC authentica-tion attempt. This same client can also initiate

3-6Web and MAC AuthenticationHow Web and MAC Authentication Operateclients by using an “unauthorized” VLAN for each session. The unauthorized VLAN ID

3-7Web and MAC AuthenticationHow Web and MAC Authentication OperateWeb-based AuthenticationWhen a client connects to a Web-Auth enabled port, communic

3-8Web and MAC AuthenticationHow Web and MAC Authentication OperateIf the client is authenticated and the maximum number of clients allowed on the por

3-9Web and MAC AuthenticationHow Web and MAC Authentication OperateA client may not be authenticated due to invalid credentials or a RADIUS server tim

3-10Web and MAC AuthenticationHow Web and MAC Authentication OperateThe assigned port VLAN remains in place until the session ends. Clients may be for

3-11Web and MAC AuthenticationTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagge

3-12Web and MAC AuthenticationOperating Rules and NotesOperating Rules and Notes The switch supports concurrent 802.1X , Web and MAC authentication o

viii2. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . 5-423. (Optional

3-13Web and MAC AuthenticationOperating Rules and Notes1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port b

3-14Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationWeb/MAC Authentication and LACPWeb or MAC authentication and LACP are not supp

3-15Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationFigure 3-4. Example of show port-access config Command Output3. Determine whe

3-16Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationNote that when configuring a RADIUS server to assign a VLAN, you can use eithe

3-17Web and MAC AuthenticationSetup Procedure for Web/MAC Authenticationaa-bb-cc-dd-ee-ffaa:bb:cc:dd:ee:ffAABBCCDDEEFFAABBCC-DDEEFFAA-BB-CC-DD-EE-FFAA

3-18Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationSyntax: [no] radius-server[host < ip-address >] [oobm]Adds a server to

3-19Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationFor example, to configure the switch to access a RADIUS server at IP address 1

3-20Web and MAC AuthenticationConfiguring Web AuthenticationConfiguring Web AuthenticationOverview1. If you have not already done so, configure a loca

3-21Web and MAC AuthenticationConfiguring Web Authentication• You can block only incoming traffic on a port before authentication occurs. Outgoing tra

3-22Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access <port-list > controlled-directions <both | in>After yo