August 2009 ProCurve Series 6120 Switches Access Security Guide
ix7 Configuring Secure Socket Layer (SSL)Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-23Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access <port-list > controlled-directions <both | in>— Contin
3-24Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: [no] aaa port-access web-based <port-list>Enables web-based authentication o
3-25Web and MAC AuthenticationConfiguring Web AuthenticationFigure 6. Adding Web Servers with the aaa port-access web-based ews-server CommandSpecif
3-26Web and MAC AuthenticationConfiguring Web AuthenticationFigure 7. Removing a Web Server with the aaa port-access web-based ews-server CommandPro
3-27Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access web-based <port-list > [reauth-period <0 - 9999999>]Sp
3-28Web and MAC AuthenticationConfiguring Web AuthenticationShow Commands for Web AuthenticationCommand Pageshow port-access web-based [port-list] 3-2
3-29Web and MAC AuthenticationConfiguring Web AuthenticationFigure 4. Example of show port-access web-based Command OutputFigure 5. Example of show
3-30Web and MAC AuthenticationConfiguring Web AuthenticationFigure 6. Example of show port-access web-based clients detailed Command OutputSyntax: sh
3-31Web and MAC AuthenticationConfiguring Web AuthenticationFigure 7. Example of show port-access web-based config Command OutputSyntax: show port-ac
3-32Web and MAC AuthenticationConfiguring Web AuthenticationFigure 8. Example of show port-access web-based config detail Command OutputSyntax: show
xUsing DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9Changing the Remote-id from a MAC to an IP Address . .
3-33Web and MAC AuthenticationConfiguring Web AuthenticationFigure 9. Example of show port-access web-based config auth-server Command OutputSyntax:
3-34Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Customizing Web Authentication HTML Files (Optional)The Web Authenti
3-35Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions
3-36Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Customizable HTML TemplatesThe sample HTML files described in the fo
3-37Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional) Figure 9. HTML Code for User Login Page Template<!--ProCurve W
3-38Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Access Granted Page (accept.html). Figure 9-10. Access Granted Page
3-39Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 11. HTML Code for Access Granted Page Template<!--ProCur
3-40Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Authenticating Page (authen.html). Figure 12. Authenticating Pag
3-41Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Invalid Credentials Page (reject_unauthvlan.html). Figure 10. Inva
3-42Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 14. HTML Code for Invalid Credentials Page Template<!--P
xi9 Traffic/Security Filters and MonitorsContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-43Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Timeout Page (timeout.html). Figure 15. Timeout PageThe timeout.h
3-44Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Retry Login Page (retry_login.html). Figure 17. Retry Login PageT
3-45Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 18. HTML Code for Retry Login Page Template<!--ProCurve
3-46Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)SSL Redirect Page (sslredirect.html). Figure 19. SSL Redirect Pag
3-47Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 20. HTML Code for SSL Redirect Page Template<!--ProCurve
3-48Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Access Denied Page (reject_novlan.html). Figure 11. Access Denied P
3-49Web and MAC AuthenticationCustomizing Web Authentication HTML Files (Optional)Figure 21. HTML Code for Access Denied Page Template<!--ProCurv
3-50Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguring MAC Authentication on the SwitchOverview1. If you have not alrea
3-51Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchConfiguration Commands for MAC AuthenticationCommand PageConfiguration Level
3-52Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax: [no] aaa port-access mac-based < port-list >Enables MAC-based
xiiTerminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6General 802.1X Authenticator Op
3-53Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchSyntax:aaa port-access mac-based [e] < port-list > [logoff-period] <
3-54Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchShow Commands for MAC-Based AuthenticationSyntax: aaa port-access mac-based
3-55Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 3-22. Example of show port-access mac-based Command OutputFigure 4.
3-56Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 5. Example of show port-access mac-based clients detail Command Outp
3-57Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 6. Example of show port-access mac-based config Command OutputSyntax
3-58Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 7. Example of show port-access mac-based config detail Command Outpu
3-59Web and MAC AuthenticationConfiguring MAC Authentication on the SwitchFigure 8. Example of show port-access mac-based config auth-server Command
3-60Web and MAC AuthenticationClient StatusClient StatusThe table below shows the possible client status information that may be reported by a Web-bas
4-14TACACS+ AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-2TACACS+ AuthenticationOverviewOverviewTACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in
xiiiPort-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-46Configuring Switch Ports To Operate
4-3TACACS+ AuthenticationTerminology Used in TACACS Applications:TACACS+ server for authentication services. If the switch fails to connect to any TAC
4-4TACACS+ AuthenticationTerminology Used in TACACS Applications:face. (Using the menu interface you can assign a local password, but not a username.)
4-5TACACS+ AuthenticationGeneral System RequirementsGeneral System RequirementsTo use TACACS+ authentication, you need the following: A TACACS+ serve
4-6TACACS+ AuthenticationGeneral Authentication Setup Procedureother access type (console, in this case) open in case the Telnet access fails due to a
4-7TACACS+ AuthenticationGeneral Authentication Setup ProcedureNote on Privilege LevelsWhen a TACACS+ server authenticates an access request from a sw
4-8TACACS+ AuthenticationConfiguring TACACS+ on the Switchconfiguration in your TACACS+ server application for mis-configura-tions or missing data tha
4-9TACACS+ AuthenticationConfiguring TACACS+ on the SwitchCLI Commands Described in this SectionViewing the Switch’s Current Authentication Configurat
4-10TACACS+ AuthenticationConfiguring TACACS+ on the SwitchViewing the Switch’s Current TACACS+ Server Contact ConfigurationThis command lists the tim
4-11TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s Authentication MethodsThe aaa authentication command configures ac
4-12TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAuthentication ParametersTable 4-1. AAA Authentication ParametersSyntax: aaa authentication
xivDeploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26MAC Lockout . . . . . . . . . . . . . . . . . . .
4-13TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the TACACS+ Server for Single LoginIn order for the single login feature to wor
4-14TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User SetupThen scroll d
4-15TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-5. The Shell Section of the TACACS+ Server User SetupAs shown in the next table, l
4-16TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTable 4-2. Primary/Secondary Authentication TableCaution Regarding the Use of Local for Log
4-17TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFor example, here is a set of access options and the corresponding commands to configure th
4-18TACACS+ AuthenticationConfiguring TACACS+ on the SwitchConfiguring the Switch’s TACACS+ Server AccessThe tacacs-server command configures these pa
4-19TACACS+ AuthenticationConfiguring TACACS+ on the SwitchNote on Encryption KeysEncryption keys configured in the switch must exactly match the encr
4-20TACACS+ AuthenticationConfiguring TACACS+ on the SwitchSpecifies the IP address of a device running a TACACS+ server application. Optionally, can
4-21TACACS+ AuthenticationConfiguring TACACS+ on the SwitchAdding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was
4-22TACACS+ AuthenticationConfiguring TACACS+ on the SwitchFigure 4-7. Example of the Switch After Assigning a Different “First-Choice” ServerTo remov
xvBuilding IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10Configuring One Station Per Authorize
4-23TACACS+ AuthenticationConfiguring TACACS+ on the SwitchTo delete a per-server encryption key in the switch, re-enter the tacacs-server host comman
4-24TACACS+ AuthenticationHow Authentication OperatesHow Authentication OperatesGeneral Authentication Process Using a TACACS+ ServerAuthentication th
4-25TACACS+ AuthenticationHow Authentication Operates4. When the requesting terminal responds to the prompt with a password, the switch forwards it to
4-26TACACS+ AuthenticationHow Authentication OperatesLocal Authentication ProcessWhen the switch is configured to use TACACS+, it reverts to local aut
4-27TACACS+ AuthenticationHow Authentication OperatesUsing the Encryption KeyGeneral OperationWhen used, the encryption key (sometimes termed “key”, “
4-28TACACS+ AuthenticationControlling Web Browser Interface Access When Using TACACS+ AuthenticationFor example, you would use the next command to con
4-29TACACS+ AuthenticationMessages Related to TACACS+ OperationMessages Related to TACACS+ OperationThe switch generates the CLI messages listed below
4-30TACACS+ AuthenticationOperating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not acce
5-15RADIUS Authentication, Authorization, and AccountingContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-2RADIUS Authentication, Authorization, and AccountingContentsExample Configuration on Cisco Secure ACS for MS Windows 5-30Example Configuration Usi
xvi
5-3RADIUS Authentication, Authorization, and AccountingOverviewOverviewRADIUS (Remote Authentication Dial-In User Service) enables you to use up to th
5-4RADIUS Authentication, Authorization, and AccountingOverviewNote The switch does not support RADIUS security for SNMP (network manage-ment) access.
5-5RADIUS Authentication, Authorization, and AccountingTerminologyTerminologyAAA: Authentication, Authorization, and Accounting groups of services pro
5-6RADIUS Authentication, Authorization, and AccountingSwitch Operating Rules for RADIUSVendor-Specific Attribute: A vendor-defined value configured i
5-7RADIUS Authentication, Authorization, and AccountingGeneral RADIUS Setup ProcedureGeneral RADIUS Setup ProcedurePreparation:1. Configure one to thr
5-8RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationConfiguring the Switch for RADIUS Authenticatio
5-9RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationOutline of the Steps for Configuring RADIUS Aut
5-10RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authentication• Timeout Period: The timeout period the switc
5-11RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authenticationure local for the secondary method. This preve
5-12RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-2 shows an example of the show authen
xviiProduct DocumentationAbout Your Switch Manual SetNote For the latest version of switch documentation, please visit any of the follow-ing websites:
5-13RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authentication Figure 5-3. Example Configuration for RADIUS
5-14RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authenticationthis default behavior for clients with Enable
5-15RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationNote If you want to configure RADIUS accountin
5-16RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFor example, suppose you have configured the s
5-17RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-4. Sample Configuration for RADIUS Se
5-18RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS Authentication Global server key: The server key the switch
5-19RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationNote Where the switch has multiple RADIUS serv
5-20RADIUS Authentication, Authorization, and AccountingConfiguring the Switch for RADIUS AuthenticationFigure 5-7. Listings of Global RADIUS Paramete
5-21RADIUS Authentication, Authorization, and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesUsing SNMP To View and Configur
5-22RADIUS Authentication, Authorization, and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesChanging and Viewing the SNMP A
xviiiSoftware Feature IndexThis feature index indicates which manual to consult for information on a given software feature.Note This Index does not c
5-23RADIUS Authentication, Authorization, and AccountingUsing SNMP To View and Configure Switch Authentication FeaturesAn alternate method of determin
5-24RADIUS Authentication, Authorization, and AccountingLocal Authentication ProcessLocal Authentication ProcessWhen the switch is configured to use R
5-25RADIUS Authentication, Authorization, and AccountingControlling Web Browser Interface AccessControlling Web Browser Interface AccessTo help preven
5-26RADIUS Authentication, Authorization, and AccountingCommands AuthorizationCommands AuthorizationThe RADIUS protocol combines user authentication a
5-27RADIUS Authentication, Authorization, and AccountingCommands AuthorizationEnabling Authorization To configure authorization for controlling access
5-28RADIUS Authentication, Authorization, and AccountingCommands AuthorizationDisplaying Authorization InformationYou can show the authorization infor
5-29RADIUS Authentication, Authorization, and AccountingCommands AuthorizationThe results of using the HP-Command-String and HP-Command-Exception attr
5-30RADIUS Authentication, Authorization, and AccountingCommands AuthorizationExample Configuration on Cisco Secure ACS for MS WindowsIt is necessary
5-31RADIUS Authentication, Authorization, and AccountingCommands AuthorizationProfile=IN OUTEnums=Hp-Command-Exception-Types[Hp-Command-Exception-Type
5-32RADIUS Authentication, Authorization, and AccountingCommands Authorization6. Right click and then select New > key. Add the vendor Id number th
Hewlett-Packard Company8000 Foothills Boulevard, m/s 5551Roseville, California 95747-5551www.procurve.com© Copyright 2009 Hewlett-Packard Development
xixDownloading Software XEvent Log XFactory Default Settings XFlow Control (802.3x) XFile Transfers XFriendly Port Names XGVRP XIdentity-Driven Manage
5-33RADIUS Authentication, Authorization, and AccountingCommands Authorization2. Find the location of the dictionary files used by FreeRADIUS (try /us
5-34RADIUS Authentication, Authorization, and AccountingVLAN Assignment in an Authentication SessionVLAN Assignment in an Authentication SessionA swit
5-35RADIUS Authentication, Authorization, and AccountingVLAN Assignment in an Authentication SessionTagged and Untagged VLAN AttributesWhen you config
5-36RADIUS Authentication, Authorization, and AccountingVLAN Assignment in an Authentication SessionAdditional RADIUS AttributesThe following attribut
5-37RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingConfiguring RADIUS AccountingNote This section assumes you have a
5-38RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Accounting Exec accounting: Provides records holding the information liste
5-39RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingOperating Rules for RADIUS Accounting You can configure up to fo
5-40RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Accountingmust match the encryption key used on the specified RADIUS server
5-41RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS Accounting(For a more complete description of the radius-server command and
5-42RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingFor example, suppose you want to the switch to use the RADIUS ser
xxPort Monitoring XPort Security XPort Status XPort Trunking (LACP) XPort-Based Access Control (802.1X) XProtocol VLANS XQuality of Service (QoS) XRAD
5-43RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingNote that there is no time span associated with using the system
5-44RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingFor example, to configure RADIUS accounting on the switch with st
5-45RADIUS Authentication, Authorization, and AccountingConfiguring RADIUS AccountingTo continue the example in figure 5-12, suppose that you wanted t
5-46RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsViewing RADIUS StatisticsGeneral RADIUS StatisticsFigure 5-14. Exampl
5-47RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsFigure 5-15. RADIUS Server Information From the Show Radius Host Comm
5-48RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsRADIUS Authentication StatisticsFigure 5-16. Example of Login Attempt
5-49RADIUS Authentication, Authorization, and AccountingViewing RADIUS StatisticsFigure 5-17. Example of RADIUS Authentication Information from a Spec
5-50RADIUS Authentication, Authorization, and AccountingChanging RADIUS-Server Access OrderFigure 5-19. Example of RADIUS Accounting Information for a
5-51RADIUS Authentication, Authorization, and AccountingChanging RADIUS-Server Access OrderFigure 5-21. Search Order for Accessing a RADIUS ServerTo e
5-52RADIUS Authentication, Authorization, and AccountingChanging RADIUS-Server Access OrderFigure 5-22. Example of New RADIUS Server Search OrderRemov
xxiVLANs XWeb Authentication RADIUS Support XWeb-based Authentication XWeb UI XIntelligent Edge SoftwareFeaturesManualManagementandConfigurationAdvanc
5-53RADIUS Authentication, Authorization, and AccountingMessages Related to RADIUS OperationMessages Related to RADIUS OperationMessage MeaningCan’t r
6-16Configuring Secure Shell (SSH)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2Configuring Secure Shell (SSH)OverviewOverviewThe switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to man
6-3Configuring Secure Shell (SSH)TerminologyNote SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, v
6-4Configuring Secure Shell (SSH)Terminology Enable Level: Manager privileges on the switch. Login Level: Operator privileges on the switch. Local
6-5Configuring Secure Shell (SSH)Prerequisite for Using SSHPrerequisite for Using SSHBefore using the switch as an SSH server, you must install a publ
6-6Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationSteps for Configuring and Using SSHfor Switch
6-7Configuring Secure Shell (SSH)Steps for Configuring and Using SSH for Switch and Client AuthenticationB. Switch Preparation1. Assign a login (Opera
6-8Configuring Secure Shell (SSH)General Operating Rules and NotesGeneral Operating Rules and Notes Public keys generated on an SSH client must be ex
6-9Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationConfiguring the Switch for SSH OperationSSH-Related Commands in This Section
1-1Security OverviewContents1Security OverviewContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-10Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation1. Assigning a Local Login (Operator) and Enable (Manager) PasswordAt a mini
6-11Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote When you generate a host key pair on the switch, the switch places the
6-12Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, to generate and display a new key:Figure 6-5. Example of Genera
6-13Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNotes "Zeroizing" the switch’s key automatically disables SSH (set
6-14Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation(The generated public key on the switch is always 896 bits.)With a direct se
6-15Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation Non-encoded ASCII numeric string: Requires a client ability to display the
6-16Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote Before enabling SSH on the switch you must generate the switch’s public
6-17Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationTo disable SSH on the switch, do either of the following: Execute no ip ssh
6-18Configuring Secure Shell (SSH)Configuring the Switch for SSH Operation[mac <mac-type>]Allows configuration of the set of MACs that can be se
6-19Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationNote on Port NumberProCurve recommends using the default TCP port number (22
1-2Security OverviewIntroductionIntroductionThis chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3
6-20Configuring Secure Shell (SSH)Configuring the Switch for SSH Operationaccess to the serial port (and the Clear button, which removes local passwor
6-21Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationOption B: Configuring the Switch for Client Public-Key SSH Authentication.
6-22Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFor example, assume that you have a client public-key file named Client-Keys
6-23Configuring Secure Shell (SSH)Configuring the Switch for SSH OperationFigure 6-11. Configuring for SSH Access Requiring a Client Public-Key Match
6-24Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication6. Use an SSH Client To Access the SwitchTest the SSH con
6-25Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication1. The client sends its public key to the switch with a r
6-26Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationTo Create a Client-Public-Key Text File. These steps des
6-27Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key Authentication2. Copy the client’s public key into a text file (filena
6-28Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationNote copy usb pub-key file can also be used as a method f
6-29Configuring Secure Shell (SSH)Further Information on SSH Client Public-Key AuthenticationFor example, if you wanted to copy a client public-key fi
1-3Security OverviewAccess Security FeaturesAccess Security FeaturesThis section provides an overview of the switch’s access security features, authen
6-30Configuring Secure Shell (SSH)Messages Related to SSH OperationCaution To enable client public-key authentication to block SSH clients whose publi
6-31Configuring Secure Shell (SSH)Messages Related to SSH OperationLogging MessagesThere are event log messages when a new key is generated and zeroiz
6-32Configuring Secure Shell (SSH)Messages Related to SSH OperationDebug LoggingTo add ssh messages to the debug log output, enter this command:ProCur
7-17Configuring Secure Socket Layer (SSL)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2Configuring Secure Socket Layer (SSL)OverviewOverviewThe switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for
7-3Configuring Secure Socket Layer (SSL)TerminologyFigure 7-1. Switch/User AuthenticationSSL on the switches covered in this guide supports these data
7-4Configuring Secure Socket Layer (SSL)Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-
7-5Configuring Secure Socket Layer (SSL)Prerequisite for Using SSLPrerequisite for Using SSLBefore using the switch as an SSL server, you must install
7-6Configuring Secure Socket Layer (SSL)General Operating Rules and NotesGeneral Operating Rules and Notes Once you generate a certificate on the swi
7-7Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationConfiguring the Switch for SSL Operation1. Assigning a Local Login (Op
1-4Security OverviewAccess Security FeaturesTelnet andWeb-browser accessenabled The default remote management protocols enabled on the switch are plai
7-8Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 7-2. Example of Configuring Local Passwords1. Proceed to the
7-9Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operationto connect via SSL to the switch. (The session key pair mentioned abov
7-10Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationCLI commands used to generate a Server Host Certificate. To generate
7-11Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTable 7-1. Certificate Field Descriptions For example, to generate a
7-12Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationCLI Command to view host certificates. To view the current host cert
7-13Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationTo generate a self signed host certificate from the web browser inter
7-14Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFor example, to generate a new host certificate via the web browsers
7-15Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-6. Web browser Interface showing current SSL Host Certificat
7-16Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationThe installation of a CA-signed certificate involves interaction with
7-17Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL Operation Figure 7-7. Request for Verified Host Certificate Web Browser Interf
1-5Security OverviewAccess Security FeaturesSSL disabled Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser acces
7-18Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationNote Before enabling SSL on the switch you must generate the switch’s
7-19Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationUsing the CLI Interface to Enable SSLTo enable SSL on the switch1. Ge
7-20Configuring Secure Socket Layer (SSL)Configuring the Switch for SSL OperationFigure 7-8. Using the web browser interface to enable SSL and select
7-21Configuring Secure Socket Layer (SSL)Common Errors in SSL setup
8-18Configuring Advanced Threat ProtectionContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-2Configuring Advanced Threat ProtectionContentsOperating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-3Configuring Advanced Threat ProtectionIntroductionIntroductionAs your network expands to include an increasing number of mobile devices, continuous
8-4Configuring Advanced Threat ProtectionDHCP Snooping• Attempts to exhaust system resources so that sufficient resources are not available to transmi
8-5Configuring Advanced Threat ProtectionDHCP SnoopingDHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected t
8-6Configuring Advanced Threat ProtectionDHCP SnoopingTo display the DHCP snooping configuration, enter this command:ProCurve(config)# show dhcp-snoop
1-6Security OverviewAccess Security Features802.1X Access Controlnone This feature provides port-based or user-based authentication through a RADIUS s
8-7Configuring Advanced Threat ProtectionDHCP SnoopingFigure 8-2. Example of Show DHCP Snooping StatisticsEnabling DHCP Snooping on VLANSDHCP snooping
8-8Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring DHCP Snooping Trusted PortsBy default, all ports are untrusted. To configure a port
8-9Configuring Advanced Threat ProtectionDHCP SnoopingConfiguring Authorized Server AddressesIf authorized server addresses are configured, a packet f
8-10Configuring Advanced Threat ProtectionDHCP SnoopingNote DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, n
8-11Configuring Advanced Threat ProtectionDHCP SnoopingChanging the Remote-id from a MAC to an IP AddressBy default, DHCP snooping uses the MAC addres
8-12Configuring Advanced Threat ProtectionDHCP SnoopingFigure 8-7. Example Showing the DHCP Snooping Verify MAC SettingThe DHCP Binding DatabaseDHCP s
8-13Configuring Advanced Threat ProtectionDHCP SnoopingA message is logged in the system event log if the DHCP binding database fails to update.To dis
8-14Configuring Advanced Threat ProtectionDHCP Snooping ProCurve recommends running a time synchronization protocol such as SNTP in order to track le
8-15Configuring Advanced Threat ProtectionDHCP SnoopingCeasing untrusted relay information logs for <duration>. More than one DHCP client packe
8-16Configuring Advanced Threat ProtectionDynamic ARP ProtectionDynamic ARP ProtectionIntroductionOn the VLAN interfaces of a routing switch, dynamic
1-7Security OverviewNetwork Security FeaturesNetwork Security FeaturesThis section outlines features and defence mechanisms for protecting access thro
8-17Configuring Advanced Threat ProtectionDynamic ARP Protection• If a binding is valid, the switch updates its local ARP cache and forwards the packe
8-18Configuring Advanced Threat ProtectionDynamic ARP ProtectionEnabling Dynamic ARP ProtectionTo enable dynamic ARP protection for VLAN traffic on a
8-19Configuring Advanced Threat ProtectionDynamic ARP ProtectionFigure 8-9. Configuring Trusted Ports for Dynamic ARP ProtectionTake into account the
8-20Configuring Advanced Threat ProtectionDynamic ARP ProtectionAdding an IP-to-MAC Binding to the DHCP DatabaseA routing switch maintains a DHCP bind
8-21Configuring Advanced Threat ProtectionDynamic ARP ProtectionConfiguring Additional Validation Checks on ARP PacketsDynamic ARP protection can be c
8-22Configuring Advanced Threat ProtectionDynamic ARP ProtectionFigure 8-1. The show arp-protect CommandDisplaying ARP Packet StatisticsTo display sta
8-23Configuring Advanced Threat ProtectionDynamic IP LockdownMonitoring Dynamic ARP ProtectionWhen dynamic ARP protection is enabled, you can monitor
8-24Configuring Advanced Threat ProtectionDynamic IP LockdownProtection Against IP Source Address SpoofingMany network attacks occur when an attacker
8-25Configuring Advanced Threat ProtectionDynamic IP Lockdown The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports c
8-26Configuring Advanced Threat ProtectionDynamic IP LockdownAssuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown
ii
1-8Security OverviewNetwork Security FeaturesConnection-Rate Filtering based on Virus-Throttling Technology none This feature helps protect the networ
8-27Configuring Advanced Threat ProtectionDynamic IP Lockdown• Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. I
8-28Configuring Advanced Threat ProtectionDynamic IP LockdownAdding an IP-to-MAC Binding to the DHCP Binding DatabaseA switch maintains a DHCP binding
8-29Configuring Advanced Threat ProtectionDynamic IP LockdownAdding a Static BindingTo add the static configuration of an IP-to-MAC binding for a port
8-30Configuring Advanced Threat ProtectionDynamic IP LockdownAn example of the show ip source-lockdown status command output is shown in Figure 8-5. N
8-31Configuring Advanced Threat ProtectionDynamic IP LockdownFigure 8-6. Example of show ip source-lockdown bindings Command OutputIn the show ip sour
8-32Configuring Advanced Threat ProtectionDynamic IP LockdownFigure 8-7. Example of debug dynamic-ip-lockdown Command OutputProCurve(config)# debug dy
8-33Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorUsing the Instrumentation MonitorThe instrumentation monitor can be used to
8-34Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorOperating Notes To generate alerts for monitored events, you must enable t
8-35Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorConfiguring Instrumentation MonitorThe following commands and parameters ar
8-36Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorTo enable instrumentation monitor using the default parameters and thresh-o
1-9Security OverviewGetting Started with Access SecurityGetting Started with Access SecurityProCurve switches are designed as “plug and play” devices,
8-37Configuring Advanced Threat ProtectionUsing the Instrumentation MonitorViewing the Current Instrumentation Monitor ConfigurationThe show instrumen
9-19Traffic/Security Filters and MonitorsContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2Traffic/Security Filters and MonitorsOverviewOverviewSource-port filters are available on the HP ProCurve switch models covered in this guide.Intro
9-3Traffic/Security Filters and MonitorsFilter Types and OperationFilter Types and OperationTable 9-1. Filter Types and CriteriaStatic Filter TypeSele
9-4Traffic/Security Filters and MonitorsFilter Types and OperationSource-Port FiltersThis filter type enables the switch to forward or drop traffic fr
9-5Traffic/Security Filters and MonitorsFilter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the sw
9-6Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-3. The Filter for the Actions Shown in Figure 9-2Named Source-Port FiltersY
9-7Traffic/Security Filters and MonitorsFilter Types and Operation A named source-port filter can only be deleted when it is not applied to any ports
9-8Traffic/Security Filters and MonitorsFilter Types and OperationA named source-port filter must first be defined and configured before it can be app
9-9Traffic/Security Filters and MonitorsFilter Types and OperationUsing Named Source-Port FiltersA company wants to manage traffic to the Internet and
1-10Security OverviewGetting Started with Access SecurityKeeping the switch in a locked wiring closet or other secure space helps to prevent unauthori
9-10Traffic/Security Filters and MonitorsFilter Types and Operation Figure 9-5. Applying Example Named Source-Port FiltersOnce the named source-port f
9-11Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-7. Example of the show filter CommandUsing the IDX value in the show filte
9-12Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-8. Example Showing Traffic Filtered on Specific PortsThe same command, usi
9-13Traffic/Security Filters and MonitorsFilter Types and OperationFigure 9-9. Example of Source Port Filtering with Internet TrafficAs the company gr
9-14Traffic/Security Filters and MonitorsFilter Types and OperationThe following revisions to the named source-port filter definitions maintain the de
9-15Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 9-12. Named Source-Port Filters Managing TrafficConfiguring Traffi
9-16Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersConfiguring a Source-Port Traffic FilterSyntax: [no] filter [source-port
9-17Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersExample of Creating a Source-Port FilterFor example, assume that you want
9-18Traffic/Security Filters and MonitorsConfiguring Traffic/Security Filtersfilter on port 5, then create a trunk with ports 5 and 6, and display the
9-19Traffic/Security Filters and MonitorsConfiguring Traffic/Security FiltersFigure 9-14. Assigning Additional Destination Ports to an Existing Filter
1-11Security OverviewGetting Started with Access SecurityThe welcome banner appears and the first setup option is displayed (Operator password). As yo
9-20Traffic/Security Filters and MonitorsConfiguring Traffic/Security Filtersnew filter will receive the index number “2” and the second new filter wi
10-110Configuring Port-Based andUser-Based Access Control (802.1X)ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10-2Configuring Port-Based and User-Based Access Control (802.1X)Contents3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . .
10-3Configuring Port-Based and User-Based Access Control (802.1X)OverviewOverviewWhy Use Port-Based or User-Based Access Control?Local Area Networks a
10-4Configuring Port-Based and User-Based Access Control (802.1X)Overview• Port-Based access control option allowing authentication by a single client
10-5Configuring Port-Based and User-Based Access Control (802.1X)OverviewThis operation improves security by opening a given port only to individually
10-6Configuring Port-Based and User-Based Access Control (802.1X)TerminologyThis operation unblocks the port while an authenticated client session is
10-7Configuring Port-Based and User-Based Access Control (802.1X)Terminologya port loses its authenticated client connection, it drops its membership
10-8Configuring Port-Based and User-Based Access Control (802.1X)TerminologyStatic VLAN: A VLAN that has been configured as “permanent” on the switch
10-9Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationGeneral 802.1X Authenticator OperationThis oper
1-12Security OverviewGetting Started with Access Security2. When you enter the wizard, you have the following options:• To update a setting, type in a
10-10Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationNote The switches covered in this guide can us
10-11Configuring Port-Based and User-Based Access Control (802.1X)General 802.1X Authenticator OperationFigure 10-1. Priority of VLAN Assignment for a
10-12Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and NotesGeneral Operating Rules and Notes In the user-base
10-13Configuring Port-Based and User-Based Access Control (802.1X)General Operating Rules and Notes If a port on switch “A” is configured as an 802.1
10-14Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlGeneral Setup Procedure for 802.1X
10-15Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlFigure 10-2. Example of the Passwor
10-16Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access Control3. Determine whether to use user-ba
10-17Configuring Port-Based and User-Based Access Control (802.1X)General Setup Procedure for 802.1X Access ControlOverview: Configuring 802.1X Authen
10-18Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsNote If you want to implement the o
10-19Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators1. Enable 802.1X Authentication on
1-13Security OverviewGetting Started with Access SecurityThe Welcome window appears.Figure 1-2. Management Interface Wizard: Welcome WindowThis page a
10-20Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsB. Specify User-Based Authenticatio
10-21Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsExample: Configuring User-Based 802
10-22Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[quiet-period < 0 - 65535 >]S
10-23Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators[reauth-period < 0 - 9999999 >
10-24Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators3. Configure the 802.1X Authenticat
10-25Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators4. Enter the RADIUS Host IP Address
10-26Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators6. Optional: Reset Authenticator Op
10-27Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X Authenticators The 802.1s Multiple Spanning Tree
10-28Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports as 802.1X AuthenticatorsBecause a port can be configured fo
10-29Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN Mode802.1X Open VLAN ModeIntroductionThis section describes how to
1-14Security OverviewGetting Started with Access Security4. The summary setup screen displays the current configuration settings for all setup options
10-30Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote On ports configured to allow multiple sessions using 802.1
10-31Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote After client authentication, the port resumes membership i
10-32Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeTable 10-2. 802.1X Open VLAN Mode Options802.1X Per-Port Config
10-33Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeAuthorized-Client VLAN • After client authentication, the port
10-34Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Unauthorized-Client VLAN Configured
10-35Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOpen VLAN Mode with Only an Authorized-Client VLAN Configured:•
10-36Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeOperating Rules for Authorized-Client andUnauthorized-Client VL
10-37Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of Unauthorized-Client VLAN session on untagged port VLA
10-38Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeEffect of RADIUS-assigned VLANThis rule assumes no other authen
10-39Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote If you use the same VLAN as the Unauthorized-Client VLAN f
1-15Security OverviewGetting Started with Access SecuritySNMP Security GuidelinesIn the default configuration, the switch is open to access by managem
10-40Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeSetting Up and Configuring 802.1X Open VLAN ModePreparation. Th
10-41Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeNote that as an alternative, you can configure the switch to us
10-42Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN Mode3. If you selected either eap-radius or chap-radius for step 2,
10-43Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeConfiguring 802.1X Open VLAN Mode. Use these commands to actual
10-44Configuring Port-Based and User-Based Access Control (802.1X)802.1X Open VLAN ModeInspecting 802.1X Open VLAN Mode Operation. For information an
10-45Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent
10-46Configuring Port-Based and User-Based Access Control (802.1X)Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authent
10-47Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
10-48Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
10-49Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
1-16Security OverviewGetting Started with Access SecurityIf SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then yo
10-50Configuring Port-Based and User-Based Access Control (802.1X)Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other S
10-51Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersDisplaying 802.1X Configura
10-52Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersSyntax: show port-access a
10-53Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-10.Example of sho
10-54Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersTable 10-3. Field Descripti
10-55Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-12.Example of sho
10-56Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-13.Example of sho
10-57Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-14.Example of sho
10-58Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-15. Example of s
10-59Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-16. Example of sh
1-17Security OverviewPrecedence of Security OptionsPrecedence of Security OptionsThis section explains how port-based security options, and client-bas
10-60Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersViewing 802.1X Open VLAN Mo
10-61Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersThus, in the output shown i
10-62Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersTable 10-3. Output for Dete
10-63Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersFigure 10-18.Example of Sho
10-64Configuring Port-Based and User-Based Access Control (802.1X)Displaying 802.1X Configuration, Statistics, and CountersShow Commands for Port-Acce
10-65Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operationsupplicant port to another wi
10-66Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationNote You can use 802.1X (port
10-67Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN Operation• If the port is assigned as
10-68Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationIf this temporary VLAN assign
10-69Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFor example, suppose that a R
iiiContentsProduct DocumentationAbout Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiPrinted Publications. . . . .
1-18Security OverviewPrecedence of Security Optionsvalue applied to a client session is determined in the following order (from highest to lowest prio
10-70Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationFigure 10-20.The Active Confi
10-71Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationWhen the 802.1X client’s sess
10-72Configuring Port-Based and User-Based Access Control (802.1X)How RADIUS/802.1X Authentication Affects VLAN OperationNote Any port VLAN-ID changes
10-73Configuring Port-Based and User-Based Access Control (802.1X)Messages Related to 802.1X OperationMessages Related to 802.1X OperationTable 10-4.
11-111Configuring and Monitoring Port SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2Configuring and Monitoring Port Security ContentsWeb: Checking for Intrusions, Listing IntrusionAlerts, and Resetting Alert Flags . . . . . .
11-3Configuring and Monitoring Port SecurityOverviewOverviewPort Security (Page 11-4). This feature enables you to configure each switch port with a
11-4Configuring and Monitoring Port Security Port SecurityPort SecurityBasic OperationDefault Port Security Operation. The default port security s
11-5Configuring and Monitoring Port SecurityPort Security• Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the
11-6Configuring and Monitoring Port Security Port Securityconfiguration to ports on which hubs, switches, or other devices are connected, and to m
1-19Security OverviewPrecedence of Security OptionsThe profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrPr
11-7Configuring and Monitoring Port SecurityPort SecurityPlanning Port Security1. Plan your port security configuration and monitoring according to th
11-8Configuring and Monitoring Port Security Port SecurityPort Security Command Options and OperationPort Security Commands Used in This SectionTh
11-9Configuring and Monitoring Port SecurityPort SecurityDisplaying Port Security Settings. Figure 11-2. Example Port Security Listing (Ports A7 and
11-10Configuring and Monitoring Port Security Port SecurityFigure 11-3. Example of the Port Security Configuration Display for a Single PortThe n
11-11Configuring and Monitoring Port SecurityPort SecurityFigure 11-4. Examples of Show Mac-Address Outputs
11-12Configuring and Monitoring Port Security Port SecurityConfiguring Port SecurityUsing the CLI, you can: Configure port security and edit secu
11-13Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | config
11-14Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)learn-mode < continuous | static | port-access | c
11-15Configuring and Monitoring Port SecurityPort SecuritySyntax: port-security (Continued)Addresses learned this way appear in the switch and port ad
11-16Configuring and Monitoring Port Security Port SecuritySyntax: port-security (Continued)mac-address [<mac-addr>] [<mac-addr>] . .
1-20Security OverviewPrecedence of Security OptionsClient-specific configurations are applied on a per-parameter basis on a port. In a client-specific
11-17Configuring and Monitoring Port SecurityPort SecurityRetention of Static AddressesStatic MAC addresses do not age-out. MAC addresses learned by u
11-18Configuring and Monitoring Port Security Port Security Delete it by using no port-security < port-number > mac-address < mac-addr &
11-19Configuring and Monitoring Port SecurityPort SecurityAdding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s exis
11-20Configuring and Monitoring Port Security Port Security(The message Inconsistent value appears if the new MAC address exceeds the current Addr
11-21Configuring and Monitoring Port SecurityPort SecurityRemoving a Device From the “Authorized” List for a Port. This command option removes unwante
11-22Configuring and Monitoring Port Security MAC LockdownThe following command serves this purpose by removing 0c0090-123456 and reducing the Add
11-23Configuring and Monitoring Port SecurityMAC LockdownYou will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If yo
11-24Configuring and Monitoring Port Security MAC LockdownOther Useful Information. Once you lock down a MAC address/VLAN pair on one port that pa
11-25Configuring and Monitoring Port SecurityMAC LockdownMAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safe
11-26Configuring and Monitoring Port Security MAC LockoutDeploying MAC LockdownWhen you deploy MAC Lockdown you need to consider how you use it wi
1-21Security OverviewProCurve Identity-Driven Manager (IDM)ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+)
11-27Configuring and Monitoring Port SecurityMAC LockoutTo use MAC Lockout you must first know the MAC Address you wish to block.How It Works. Let’s s
11-28Configuring and Monitoring Port Security MAC LockoutMAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti-cation.You cannot
11-29Configuring and Monitoring Port SecurityMAC LockoutPort Security and MAC LockoutMAC Lockout is independent of port-security and in fact will over
11-30Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security FeaturesWeb: Displaying and Configuring Port Security
11-31Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion thro
11-32Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsThe log shows the most recent intrusion at the top
11-33Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsMenu: Checking for Intrusions, Listing Intrusion Alerts
11-34Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags• Because the Port Status screen (figure 11-12 on
11-35Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsIn the following example, executing show interfaces bri
11-36Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert FlagsTo clear the intrusion from port A1 and enable the
2-12Configuring Username and Password SecurityContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-37Configuring and Monitoring Port SecurityReading Intrusion Alerts and Resetting Alert FlagsFigure 11-17.Example of Log Listing With and Without De
11-38Configuring and Monitoring Port Security Operating Notes for Port SecurityOperating Notes for Port SecurityIdentifying the IP Address of an I
11-39Configuring and Monitoring Port SecurityOperating Notes for Port SecurityProCurve(config)# port-security e a17 learn-mode static address-limit 2L
12-112Using Authorized IP Managers ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12-2Using Authorized IP ManagersOverviewOverviewAuthorized IP Manager Features The Authorized IP Managers feature uses IP addresses and masks to deter
12-3Using Authorized IP ManagersOptionsOptionsYou can configure: Up to 10 authorized manager addresses, where each address applies to either a single
12-4Using Authorized IP ManagersDefining Authorized Management StationsDefining Authorized Management Stations Authorizing Single Stations: The table
12-5Using Authorized IP ManagersDefining Authorized Management Stationsrized Manager IP address to authorize four IP addresses for management station
12-6Using Authorized IP ManagersDefining Authorized Management StationsFigure 12-2. Example of How To Add an Authorized Manager Entry (Continued)Editi
12-7Using Authorized IP ManagersDefining Authorized Management StationsFigure 12-3.Example of the Show IP Authorized-Manager DisplayThe above example
2-2Configuring Username and Password SecurityContentsRe-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation . . . . . .
12-8Using Authorized IP ManagersDefining Authorized Management StationsIf you omit the < mask bits > when adding a new authorized manager, the s
12-9Using Authorized IP ManagersWeb: Configuring IP Authorized ManagersWeb: Configuring IP Authorized ManagersIn the web browser interface you can con
12-10Using Authorized IP ManagersBuilding IP MasksUsing a Web Proxy Server to Access the Web Browser InterfaceCaution This is NOT recommended. Using a
12-11Using Authorized IP ManagersBuilding IP MasksFigure 12-5. Analysis of IP Mask for Single-Station EntriesConfiguring Multiple Stations Per Authori
12-12Using Authorized IP ManagersBuilding IP MasksFigure 12-6. Analysis of IP Mask for Multiple-Station Entries Figure 12-7. Example of How the Bitmap
12-13Using Authorized IP ManagersOperating NotesAdditional Examples for Authorizing Multiple StationsOperating Notes Network Security Precautions: Yo
12-14Using Authorized IP ManagersOperating Notes• Even if you need proxy server access enabled in order to use other applications, you can still elimi
Index – 1IndexNumerics3DES …7-3802.1X access controlauthenticate users … 10-5authentication methods … 10-4authentication, local … 10-6authentication,
2 – Indexpassword for port-access … 2-11, 2-21port, supplicant … 10-16port-basedaccess … 10-4client without authentication … 10-5effect of Web/MAC aut
Index – 3ports … 10-39untagged … 10-30, 10-33, 10-34untagged membership … 10-20VLAN operation … 10-65VLAN use, multiple clients … 10-7VLAN, assignment
2-3Configuring Username and Password SecurityOverviewOverviewConsole access includes both the menu interface and the CLI. There are two levels of cons
4 – Indexroot … 7-4self-signed … 7-3CHAP …5-11chap-radius …5-11cipher,SSH …6-17Clear buttonto delete password protection … 2-7configurationfilters … 9
Index – 5bpdu protection, none …1-8SSH, disabled … 1-4, 6-2SSL, disabled … 1-5, 7-2TACACS+authentication configuration … 4-9authentication, disabled …
6 – IndexEEavesdrop Protection … 11-4encryption keyRADIUS … 2-11, 2-15TACACS … 2-11, 2-15event logalerts for monitored events … 8-34intrusion alerts …
Index – 7authenticator operation … 3-6blocked traffic … 3-3CHAPdefined … 3-11usage … 3-3client status … 3-60concurrent with Web … 3-4configuration com
8 – Indextracking client authentication failures … 8-33Web authentication … 10-4Web/MAC … 10-20See also 802.1X access control.port scan, detecting …8-
Index – 9server access order, changing … 5-50servers, multiple … 5-19service type value … 5-8service-type value … 5-14service-type value, null … 5-14s
10 – IndexOption 82 … 8-6, 8-9statistics … 8-6untrusted-policy … 8-10verify … 8-6source port filtersconfiguring … 9-4named … 9-6operating rules … 9-4S
Index – 11prerequisites … 7-5remove self-signed certificate … 7-9remove server host certificate … 7-9reserved TCP port numbers … 7-20root … 7-4root ce
12 – IndexUuntrusted policy, snooping …8-10user namecleared … 2-7SNMP configuration … 2-3Vvendor-specific attributeconfiguring support for HP VSAs … 5
ProCurve 5400zl i and *5992-5525*Technology for better business outcomes To learn more, visit www.hp.com/go/bladesystem/documentation/© Copy
2-4Configuring Username and Password SecurityOverviewTo configure password security:1. Set a Manager password pair (and an Operator password pair, if
2-5Configuring Username and Password SecurityOverviewNotes The manager and operator passwords and (optional) usernames control access to the menu inte
2-6Configuring Username and Password SecurityConfiguring Local Password SecurityConfiguring Local Password SecurityMenu: Setting PasswordsAs noted ear
iv2 Configuring Username and Password SecurityContents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-7Configuring Username and Password SecurityConfiguring Local Password SecurityTo Delete Password Protection (Including Recovery from a Lost Password
2-8Configuring Username and Password SecurityConfiguring Local Password SecurityCLI: Setting Passwords and UsernamesCommands Used in This SectionConfi
2-9Configuring Username and Password SecurityConfiguring Local Password SecurityIf you want to remove both operator and manager password protection, u
2-10Configuring Username and Password SecuritySaving Security Credentials in a Config FileSaving Security Credentials in a Config FileYou can store an
2-11Configuring Username and Password SecuritySaving Security Credentials in a Config File The chapter on “Switch Memory and Configuration” in the Ma
2-12Configuring Username and Password SecuritySaving Security Credentials in a Config FileLocal Manager and Operator PasswordsThe information saved to
2-13Configuring Username and Password SecuritySaving Security Credentials in a Config FileYou can enter a manager, operator, or 802.1X port-access pas
2-14Configuring Username and Password SecuritySaving Security Credentials in a Config File[priv <priv-pass>] is the (optional) hashed privacy pa
2-15Configuring Username and Password SecuritySaving Security Credentials in a Config FileThe password port-access values are configured separately fr
2-16Configuring Username and Password SecuritySaving Security Credentials in a Config Fileduring authentication sessions. Both the switch and the serv
vPassword Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-343 Web and MAC AuthenticationContents . . . . . . .
2-17Configuring Username and Password SecuritySaving Security Credentials in a Config FileNote The ip ssh public-key command allows you to configure o
2-18Configuring Username and Password SecuritySaving Security Credentials in a Config FileTo display the SSH public-key configurations (72 characters
2-19Configuring Username and Password SecuritySaving Security Credentials in a Config FileOperating NotesCaution When you first enter the include-cr
2-20Configuring Username and Password SecuritySaving Security Credentials in a Config File• copy config <source-filename> config <target-file
2-21Configuring Username and Password SecuritySaving Security Credentials in a Config FileRestrictionsThe following restrictions apply when you enable
2-22Configuring Username and Password SecuritySaving Security Credentials in a Config Filethe username and password used as 802.1X authentication cred
2-23Configuring Username and Password SecurityFront-Panel SecurityFront-Panel SecurityThe front-panel security features provide the ability to indepen
2-24Configuring Username and Password SecurityFront-Panel SecurityAs a result of increased security concerns, customers now have the ability to stop s
2-25Configuring Username and Password SecurityFront-Panel SecurityClear ButtonPressing the Clear button alone for five seconds resets the password(s)
2-26Configuring Username and Password SecurityFront-Panel Security2. While holding the Reset button, press and hold the Clear button for five seconds.
viClient Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-604 TACACS+ AuthenticationContents
2-27Configuring Username and Password SecurityFront-Panel SecurityConfiguring Front-Panel SecurityUsing the front-panel-security command from the glob
2-28Configuring Username and Password SecurityFront-Panel SecurityFor example, show front-panel-security produces the following output when the switch
2-29Configuring Username and Password SecurityFront-Panel SecurityDisabling the Clear Password Function of the Clear ButtonThis command displays a Cau
2-30Configuring Username and Password SecurityFront-Panel SecurityRe-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” OperationF
2-31Configuring Username and Password SecurityFront-Panel SecurityFigure 2-12. Example of Re-Enabling the Clear Button’s Default OperationChanging the
2-32Configuring Username and Password SecurityPassword RecoveryFigure 2-13. Example of Disabling the Factory Reset OptionPassword RecoveryThe password
2-33Configuring Username and Password SecurityPassword Recoveryfactory-default configuration. This can disrupt network operation and make it necessary
2-34Configuring Username and Password SecurityPassword RecoveryFigure 2-14. Example of the Steps for Disabling Password-RecoveryPassword Recovery Proc
3-13Web and MAC AuthenticationContents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-2Web and MAC AuthenticationContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50
viiAuthentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3Accounting Services . . . . . . . . . . .
3-3Web and MAC AuthenticationOverviewOverviewWeb and MAC authentication are designed for employment on the “edge” of a network to provide port-based s
3-4Web and MAC AuthenticationOverviewNote A proxy server is not supported for use by a browser on a client device that accesses the network through a
3-5Web and MAC AuthenticationOverview Each new Web/MAC Auth client always initiates a MAC authentica-tion attempt. This same client can also initiate
3-6Web and MAC AuthenticationHow Web and MAC Authentication Operateclients by using an “unauthorized” VLAN for each session. The unauthorized VLAN ID
3-7Web and MAC AuthenticationHow Web and MAC Authentication OperateWeb-based AuthenticationWhen a client connects to a Web-Auth enabled port, communic
3-8Web and MAC AuthenticationHow Web and MAC Authentication OperateIf the client is authenticated and the maximum number of clients allowed on the por
3-9Web and MAC AuthenticationHow Web and MAC Authentication OperateA client may not be authenticated due to invalid credentials or a RADIUS server tim
3-10Web and MAC AuthenticationHow Web and MAC Authentication OperateThe assigned port VLAN remains in place until the session ends. Clients may be for
3-11Web and MAC AuthenticationTerminologyTerminologyAuthorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagge
3-12Web and MAC AuthenticationOperating Rules and NotesOperating Rules and Notes The switch supports concurrent 802.1X , Web and MAC authentication o
viii2. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server . . . . . . . . . . . . . . . . . . . . 5-423. (Optional
3-13Web and MAC AuthenticationOperating Rules and Notes1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port b
3-14Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationWeb/MAC Authentication and LACPWeb or MAC authentication and LACP are not supp
3-15Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationFigure 3-4. Example of show port-access config Command Output3. Determine whe
3-16Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationNote that when configuring a RADIUS server to assign a VLAN, you can use eithe
3-17Web and MAC AuthenticationSetup Procedure for Web/MAC Authenticationaa-bb-cc-dd-ee-ffaa:bb:cc:dd:ee:ffAABBCCDDEEFFAABBCC-DDEEFFAA-BB-CC-DD-EE-FFAA
3-18Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationSyntax: [no] radius-server[host < ip-address >] [oobm]Adds a server to
3-19Web and MAC AuthenticationSetup Procedure for Web/MAC AuthenticationFor example, to configure the switch to access a RADIUS server at IP address 1
3-20Web and MAC AuthenticationConfiguring Web AuthenticationConfiguring Web AuthenticationOverview1. If you have not already done so, configure a loca
3-21Web and MAC AuthenticationConfiguring Web Authentication• You can block only incoming traffic on a port before authentication occurs. Outgoing tra
3-22Web and MAC AuthenticationConfiguring Web AuthenticationSyntax: aaa port-access <port-list > controlled-directions <both | in>After yo
Kommentare zu diesen Handbüchern