HP PROCURVE W.14.03 Bedienungsanleitung

Access Security Guide ProCurve Switches W.14.03 2910al www.procurve.com

General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 RADIUS Authentication Statistics . . . . . . . .

Web and MAC Authentication Configuring the Switch To Access a RADIUS Server aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD

Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to t

Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview 1. If you have not already done so, configure a loc

Web and MAC Authentication Configuring Web Authentication Configuration Commands for Web Authentication Command Page Configuration Level aaa port-acc

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After yo

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Contin

Web and MAC Authentication Configuring Web Authentication Syntax: Syntax: Syntax: Syntax: [no] aaa port-access web-based <port-list> Enables web

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based <port-list > [client-moves] Configures whether the

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based <port-list> [max-retries <1-10>] Specifies th

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based <port-list> [redirect-url <url>] no aaa port-

Configuring the Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-

Web and MAC Authentication Configuring Web Authenti

Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based clients 1 detailed Port Access

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based con

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config <port-list> detai

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based c

Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not alre

Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Leve

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < port-list > Enables MAC-based

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [logoff-period] <

8 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [unauth-vid <vid

---- ----------- --------------------------------------- -------------Web and MAC Auth

Web and MAC Authentication Configuring MAC Authentication on

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show p

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config <port-list>

Web and MAC Authentication Configuring MAC Authentication on the Switch S

Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-base

4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view

TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACA

ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 What Is the Difference Between Network (or

TACACS+ Authentication Terminology Used in TACACS Applications: everyone who needs to access the switch, and you must configure and manage password

TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: A TACACS+ ser

TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockout occurs on the switch as a result of a TACACS+ conf

TACACS+ Authentication General Authentication Setup Procedure If you are a first-time user of the TACACS+ service, ProCurve recom-mends that you confi

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authenticatio

TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-

TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the t

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures acc

TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects t

TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 4-1. AAA Authentication Parameters Parameters Name Default

Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44 Configuring Named, Standard ACLs . . . . . . . .

TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allowing only Operator privileges (and requiring two login

TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, l

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authen

TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these

TACACS+ Authentication Configuring TACACS+ on the Switch tacacs-server key <key-string> Enters the optional global encryption key. [no] tacacs-s

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none n/a Specifies the

TACACS+ Authentication Configuring TACACS+ on the Switch key <key-string> none (null) n/a Name Default Range Specifies the optional, global

TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-7. Examp

TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command

10 Configuring Advanced Threat Protection Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication

TACACS+ Authentication How Authentication Operates 4. When the requesting terminal responds to the prompt with a password, the switch forwards it to

TACACS+ Authentication How Authentication Operates attempt limit without a successful authentication, the login session is terminated and the opera

TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication in the switch must be identical to the encryption ke

TACACS+ Authentication Messages Related to TACACS+ Operation Configure the switch’s Authorized IP Manager feature to allow web browser access on

TACACS+ Authentication Operating Notes Operating Notes If you configure Authorized IP Managers on the switch, it is not necessary to include any de

TACACS+ Authentication Operating Notes 4-30

5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Contents Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 Config

RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-8 n/a Configu

11 12 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage-ment) access. For information

RADIUS Authentication and Accounting Terminology Terminology AAA: Authentication, Authorization, and Accounting groups of services pro-vided by the ca

RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Shared Secret Key: A text value used for encrypting data in RADIUS packets. Bot

RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS serv

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contactin

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RAD

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibilit

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-2 shows an example of the show authentication command

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Configuration for RADIUS Authentication The

802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Alternative To Using a RADIUS Server . . . . . . . . . . . .

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access.

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS Server This section d

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [key < key-string >] Optional. Specifies an encryption key

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Configuration for RADIUS Server Before Changi

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Global server key: The server key the switch will use for con

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum tim

RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication After two attempts failing due to username or password entry err

Security Notes RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP To View and Configure S

RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Confi

RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Au

13 802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 12-46 Option For Authenticator Ports: Configure Port-Security

RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts

RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized ac

RADIUS Authentication and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization

RADIUS Authentication and Accounting Commands Authorization Enabling Authorization To configure authorization for controlling access to the CLI comman

RADIUS Authentication and Accounting Commands Authorization Displaying Authorization Information You can show the authorization information by enterin

RADIUS Authentication and Accounting Commands Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various

RADIUS Authentication and Accounting Commands Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dicti

RADIUS Authentication and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList

RADIUS Authentication and Accounting Commands Authorization 6. Right click and then select New > key. Add the vendor Id number that you determined

RADIUS Authentication and Accounting Commands Authorization # # dictionary.hp # # As posted to the list by User <user_email> # # Version:

MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22 Differences Between MAC Lockdown and Po

RADIUS Authentication and Accounting Commands Authorization Additional RADIUS Attributes The following attributes are included in Access-Request and A

RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server h

RADIUS Authentication and Accounting Configuring RADIUS Accounting Exec accounting: Provides records holding the information listed below about log

RADIUS Authentication and Accounting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting You can configure up to four types of acco

RADIUS Authentication and Accounting Configuring RADIUS Accounting must match the encryption key used on the specified RADIUS server. For more informa

RADIUS Authentication and Accounting Configuring RADIUS Accounting [key < key-string >] Optional. Specifies an encryption key for use during acc

RADIUS Authentication and Accounting Configuring RADIUS Accounting The radius-server command as shown in figure 5-11, above, configures the switch to

RADIUS Authentication and Accounting Configuring RADIUS Accounting Stop-Only: • Send a stop record accounting notice at the end of the accounting

RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optiona

RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-

Using a Web Proxy Server to Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Term Definiti

RADIUS Authentication and Accounting Viewing RADIUS Statistics Requests The number of RADIUS Accounting-Request packets sent. This does not include r

RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Authentication Information from a Specific Server RADIUS

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-19. Example of RADIUS Accounting Information for a Specific Server F

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try t

RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts th

RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS ser

6 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring RADIUS Server Support for Switch Services Contents Configuring the Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . .

Configuring RADIUS Server Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server t

Product Documentation About Your Switch Manual Set Note For the latest version of all ProCurve switch documentation, including Release Notes covering

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting RADIUS Server

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Contro

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Table 6-2. Ex

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show p

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Permit: An ACE configured with this a

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note A RADIUS-assigned ACL assignmen

Software Feature Index For the software manual set supporting your 2910al switch model, this feature index indicates which manual to consult for infor

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists RADIUS-assigned ACLs Static Port AC

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password pair. Wher

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 3. Configure the ACLs on a RADIUS s

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Operating Rules for RADIUS-Assigned A

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Elements in a RADIUS-assigned ACL Co

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring ACE Syntax in RADIUS Serv

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists any: • Specifies any IPv4 destinati

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 1. Enter the ACL standard attri

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 1. Enter the ProCurve vendor-

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note For syntax details on RADIUS-as

Intelligent Edge Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide DHCP/Bo

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuration Notes Explicitly Permi

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note Refer to the documentation prov

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Displaying the Current RADIUS-Assign

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: show port-access authenticato

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ProCurve(config)# show port-a

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Messages Message Meaning A

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Meaning Invalid Access-list

7 Configuring Secure Shell (SSH) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI Web Generating a public/private key pair on the switch No n/a page

Configuring Secure Shell (SSH) Terminology Switch SSH and User Password Authentication . This option is a subset of the client public-key authenticat

Intelligent Edge Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide MAC Loc

Configuring Secure Shell (SSH) Prerequisite for Using SSH Local password or username: A Manager-level or Operator-level pass-word configured in

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (O

Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes Public keys generated on an SSH client must be e

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Secti

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation To Configure Local Passwords. You can configure both the Operator and Manager

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places th

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public-key Displays switch’s public key. Displays the version

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation hosts file, note that the formatting and comments need not match. For vers

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key generated by the switch consists of three parts, separated by o

Intelligent Edge Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide RMON 1,

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Befor

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerprints" of the Same Switch Phonetic "Hash&qu

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and a

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connection

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourse

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. Whe

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ipv4-address | ipv6-address > < fil

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ProCurve(config)# password manager user-name leaderConfigures Manager user-

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH conf

Intelligent Edge Software Features Manual Management and Configuration Advanced Traffic Management Multicast and Routing Access Security Guide Voice V

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If you enable client public-key authentication, the foll

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps descr

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client’s public key into a text file (file

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The babble option converts the key data to phonetic hashes

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-publi

Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. File tra

Configuring Secure Shell (SSH) Messages Related to SSH Operation Generating new RSA host key. If the After you execute the generate ssh [dsa | rsa

8 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI Web Generating a Self Signed Certificate on the switch No n

Configuring Secure Socket Layer (SSL) Terminology ProCurve Switch (SSL Server) SSL Client Browser 1. Switch-to-Client SSL Cert. 2. User-to-Switch (log

1 Security Overview Contents Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to sign certificates (

Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install

Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 4. Use your SSL enabled browser to access the switch using the switch’s IP

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in Th

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security Tab Password Button Figure 8-2. Example of Configuring Loca

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server certificate is stored in the switch’s flash memory. The serv

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: cr

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 8-1.Certificate Field Descriptions Field Name Description Valid

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-ce

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interfa

Security Overview Introduction Introduction This chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation that involves having the certificate authority verify the certificat

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation -----BEGIN CERTIFICATE-----MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUA

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 8-8. Using the web brow

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate o

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22

9 IPv4 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authen

IPv4 Access Control Lists (ACLs) Contents Configuring and Assigning an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34 A Configured ACL

IPv4 Access Control Lists (ACLs) Contents Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85 Display an ACL

IPv4 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specify

IPv4 Access Control Lists (ACLs) Introduction Notes IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as part of you

IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch To

9-49 9-76 IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Create a Standard, ProCurve(config)# access-list &

IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Table 9-2. Command Summary for IPv4 Extended ACLs Action C

IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Enter or Remove a ProCurve(config)# ip access-list extended

IPv4 Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to

IPv4 Access Control Lists (ACLs) Terminology ACL Mask: Follows any IPv4 address (source or destination) listed in an ACE. Defines which bits in a pack

HP ProCurve 2910al Switch February 2009 W.14.03 Access Security Guide

Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Telnet and enable

IPv4 Access Control Lists (ACLs) Terminology Inbound Traffic: For the purpose of defining where the switch applies IPv4 ACLs to filter traffic, inboun

IPv4 Access Control Lists (ACLs) Terminology whether there is a match between a packet and the ACE. In an extended ACE, this is the first of two IPv4

IPv4 Access Control Lists (ACLs) Overview Overview Types of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on sour

IPv4 Access Control Lists (ACLs) Overview Static Port ACL and Dynamic Port ACL Applications An IPv4 static port ACL filters any IPv4 traffic inbound o

IPv4 Access Control Lists (ACLs) Overview 802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 8 individually

IPv4 Access Control Lists (ACLs) Overview • The CLI remark command option allows you to enter a separate comment for each ACE. A source or destinat

IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the ACL application to apply. As part of this s

IPv4 Access Control Lists (ACLs) Overview For more details on ACL planning considerations, refer to “Planning an ACL Application” on page 9-24. Cautio

IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Access Control Entri

IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation ACL. This directs the ACL to permit (forward) packets that do not have a match with any ear

Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details SSL disabled Sec

IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Is there a match? Perform action (permit or deny). No Test a packet against criteria in fir

IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation 1. Permit inbound IPv4 traffic from IP address 10.11.11.42. 2. Deny only the inbound Tel

IPv4 Access Control Lists (ACLs) Planning an ACL Application Planning an ACL Application Before creating and implementing ACLs, you need to define the

IPv4 Access Control Lists (ACLs) Planning an ACL Application What are the logical points for minimizing unwanted traffic, and what ACL application(

IPv4 Access Control Lists (ACLs) Planning an ACL Application Caution IPv4 ACLs can enhance network security by blocking selected traffic, and can ser

IPv4 Access Control Lists (ACLs) Planning an ACL Application Generally, you should list ACEs from the most specific (individual hosts) to the most

IPv4 Access Control Lists (ACLs) Planning an ACL Application Explicitly Permitting Any IPv4 Traffic: Entering a permit any or a permit ip any any A

IPv4 Access Control Lists (ACLs) Planning an ACL Application Thus, the bits set to 1 in a network mask define the part of an IPv4 address to use for t

IPv4 Access Control Lists (ACLs) Planning an ACL Application ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0

IPv4 Access Control Lists (ACLs) Planning an ACL Application • A group of IPv4 addresses fits the matching criteria. In this case you provide both th

Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details RADIUS disabled

IPv4 Access Control Lists (ACLs) Planning an ACL Application dictates that a match occurs only when the source address on such packets is identical to

IPv4 Access Control Lists (ACLs) Planning an ACL Application Table 9-3. Mask Effect on Selected Octets of the IPv4 Addresses in Table 9-2 Addr Octet

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Configuring and Assigning an IPv4 ACL ACL Feature Page Caution Regarding the U

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL 3. One or more deny/permit list entries (ACEs): One entry per line. Element N

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-7 shows how to interpret the entries in a standard ACL. P

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remark

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-9 shows how to interpret the entries in an extended ACL.

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, suppose that you have applied the ACL shown in figure 9-10 to inbo

50 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Line # Action Any packet from any IPv4 SA to any IPv4 DA will be permitted

Security Overview Network Security Features Network Security Features This section outlines features and defence mechanisms for protecting access thro

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Using the CLI To Create an ACL Command Page access-list (standard ACLs) 9-44

IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL To insert an ACE anywhere in a numbered ACL, use the same process as described

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs Table 9-6. Command Summary for Standard ACLs Action Command(s)

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IPv4 addresses in its ACEs. This type of ACE is useful when

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes the commands for performing the fol

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Named, Standard ACL. Configuring ACEs is done after using the ip ac

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a m

-------------------------------------------------------------------------------IPv4 Access Control Lists (ACLs) Configuring Standard ACLs ProCur

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Standard, Numbered ACL. This command is an alternative to using i

IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA/mask-length >> Defines the source I

Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Access Control n

------------------------------------------------------------------------------IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Example of Cr

9-55 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs Table 9-7. Command Summary for Extended ACLs Action Comman

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Action Command(s) Page Enter or Remove a ProCurve(config)# ip access-list extended <

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a pac

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/or Entering the “Named ACL” (nacl) Context. This comman

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Confi

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the packe

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask-length | DA/ < mask >> This is the second i

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after the DA to cause the ACE to matc

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or

Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Key none KMS is

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli-

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] m

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is nec-essary to permit s

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs For other IPv4 ACL topics, refer to the following: Topic Page configuring named, standard

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs If the ACL does not already exist, this command creates the specified ACL and its first ACE

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol type required fo

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a pac

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedence-name >] This option causes the ACE to match packets

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options for TCP and UDP Traffic. An ACE designed to per-mit or deny TCP or UDP

Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plug and play” devices,

IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Syntax: access-list < 100 - 199 > < deny | permit > igmp < src-ip > &

IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering I

IPv4 Access Control Lists (ACLs) Deleting an ACL ProCurve(config)# interface b10 ip access-group My-List in ProCurve(config)# interface b10ProCurve(et

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using se

IPv4 Access Control Lists (ACLs) Editing an Existing ACL You can delete any ACE from any ACL (named or numbered) by using the ip access-list comman

IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 9-16: ProCurve(config)# i

IPv4 Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequence number that identifies the position you want the A

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to delete ACEs fro

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconfigures the starting sequence number for ACE

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and uses the sam

Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorize

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >),

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs Within an Existing List. To insert an ACE with a remark w

IPv4 Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks The resequence command ignores “orphan” remarks that do not ha

IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function Page show access-list sho

IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv4 ACLs. Syntax: sh

IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration

IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identification a

------------------------------------------------------------------------------IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data

----------------------------------------------------------------------:IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(

IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data IP Used for Standard ACLs: The source IP address to which the configured mask is a

Security Overview Getting Started with Access Security CLI: Management Interface Wizard To configure security settings using the CLI wizard, follow th

IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance Monitoring Static ACL Performance ACL statistics counters provide a means for monit

IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance ACE Counter Operation: For a given ACE in an assigned ACL, the counter increme

IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titled “Editing an Existing ACL” on pag

10 permit tcp 10.30.133.27 0.0.0.0 eq 23 0.0.0.0 255.255.255.255IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replaci

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traf

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includ

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Logging on the Switch 1. If you are using a Syslog server, use the logging &l

IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be con

IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several o

10 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following options: • To update a setting, type in

Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous

Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficient resources are not available to transmi

Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to

----- -----Configuring Advanced Threat Protection DHCP Snooping option: Add relay information option (Option 82) to DHCP client packets that are b

Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping stats Packet type Action Reason Count -----------

Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port

---------------------Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authorized server addresses are c

Configuring Advanced Threat Protection DHCP Snooping Note DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, no

Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address

Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Inf

© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with-out notice. All Righ

Security Overview Getting Started with Access Security The Welcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page

Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. To dis

Configuring Advanced Threat Protection DHCP Snooping ProCurve recommends running a time synchronization protocol such as SNTP in order to track lea

Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for <duration>. More than one DHCP client packet

Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic

Configuring Advanced Threat Protection Dynamic ARP Protection Verifies IP-to-MAC address bindings on untrusted ports with the informa-tion stored i

Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a r

Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Configuring Trusted Ports for Dynamic ARP Protection Take into account the

Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Binding to the DHCP Database A routing switch maintains a DHCP bindi

Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be co

----- -----Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp p

Security Overview Getting Started with Access Security 4. The summary setup screen displays the current configuration settings for all setup options

Configuring Advanced Threat Protection Dynamic ARP Protection Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monito

Configuring Advanced Threat Protection Using the Instrumentation Monitor Using the Instrumentation Monitor The instrumentation monitor can be used to

Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes To generate alerts for monitored events, you must enable t

Configuring Advanced Threat Protection Using the Instrumentation Monitor Configuring Instrumentation Monitor The following commands and parameters are

Configuring Advanced Threat Protection Using the Instrumentation Monitor To enable instrumentation monitor using the default parameters and thresh-old

Configuring Advanced Threat Protection Using the Instrumentation Monitor Viewing the Current Instrument

Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-28

11 Traffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models. As of June 2007, Traffic/Security filters are available on these cur

Traffic/Security Filters and Monitors Filter Types and Operation You can enhance in-band security and improve control over access to network resources

Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the switch is open to access by manageme

Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic fr

Traffic/Security Filters and Monitors Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) on the sw

Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workst

Traffic/Security Filters and Monitors Filter Types and Operation To change the named source-port filter used on a port or port trunk, the current f

Traffic/Security Filters and Monitors Filter Types and Operation Syntax: filter source-port named-filter <filter-name > forward < destinatio

Traffic/Security Filters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in

Traffic/Security Filters and Monitors Filter Types and Operation Defining and Configuring Example Named Source-Port Filters. While named source-port f

11-11 Traffic/Security Filters and Monitors Filter Types and Operation Figure 11-7. Example of the show filter Command Using the IDX value in the show

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 24ProCurve(config)# show filter 4 Traffic/Security Fil

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Por

Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you

Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desi

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name

Traffic/Security Filters and Monitors Filter Types and Operation Table 11-2. Multicast Filter Limits Max-VLANs Setting Maximum # of Multicast Filters

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Only one filter for a particular protocol type can be configured at any one

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the r

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 11-15. Assigning Additional Destination Ports to an Existing Filter

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 11-3 on a

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all

Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-base

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Filter Index Numbers (Automatically Assigned) Lists all filters configured

12 Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . .

Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Au

Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client

Configuring Port-Based and User-Based Access Control (802.1X) Overview credentials. This operation improves security by opening a given port only to i

Configuring Port-Based and User-Based Access Control (802.1X) Terminology This operation unblocks the port while an authenticated client session is in

Configuring Port-Based and User-Based Access Control (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in

Configuring Port-Based and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by

Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This opera

Security Overview Precedence of Security Options DCA allows client-specific parameters configured in any of the following ways to be applied and remov

Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation Note The switches covered in this guide can use

Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation No Yes New Client Authenticated Untagged VLAN Con

Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes In the user-based

Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes If a port on switch “A” is configured as an 802.1X

Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes not enabled. That is, any non-authenticating client at

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Acc

---- ---------- ----------

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to use user-base

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentic

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the opt

Security Overview Precedence of Security Options NIM also allows you to configure and apply client-specific profiles on ports that are not configured

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Sel

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication o

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User-Based 802.1X

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Set

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Set

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >]

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Opera

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators The 802.1s Multiple Spanning Tree P

Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific p

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be configured for m

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 8

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note After client authentication, the port resumes membership in

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 12-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configu

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLA

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with O

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Configured: 802

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLAN

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on unta

Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and u

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use l

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, u

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and a

Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticat

Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticat

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switc

2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switc

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switc

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switc

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuratio

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access auth

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)# show

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show po

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Access Control Port’s authent

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)#

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access auth

Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . .

Configuring Username and Password Security Contents Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel . . . . .

----- ------------ ------------- --------------- --------------Configuring Port-Based and User-Based Access Control (802.1X

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Thus, in the output shown in f

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 12-5. Output for Determ

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another witho

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Note You can use 802.1X (port-b

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • If the port is assigned as a

Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-9 Set a Password none

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignmen

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADI

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Syntax: aaa port-access gvrp-vl

Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 12-6. 8

Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.1X Operation 12-76

13 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . .

Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI Web Displaying Current Port Security n/a — page 13-8 page

Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default lev

Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security settin

Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the p

Configuring and Monitoring Port Security Port Security configuration to ports on which hubs, switches, or other devices are connected, and to maintain

Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to th

Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show po

Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security <port nu

Configuring and Monitoring Port Security Port Security Figure 13-3. Example of the Port Security Configuration Display for a Single Port The next exa

Configuring and Monitoring Port Security Port Security Figure 13-4. Examples of Show Mac-Address Outputs 13-11

Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: Configure port security and edit security

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu

Configuring Username and Password Security Overview Notes The manager and operator passwords and (optional) usernames control access to the menu inte

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configu

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port add

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [<mac-addr>] [<mac-addr>] . . . [<

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specifi

Configuring and Monitoring Port Security Port Security Delete it by using no port-security < port-number > mac-address < mac-addr >.

Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existin

Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limi

Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted d

Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Lim

Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you d

Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted

Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair canno

Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely

Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within y

Configuring and Monitoring Port Security MAC Lockdown ProCurve Switch ProCurve Switch ProCurve Switch ProCurve Switch Internal Core Network Switch 1 S

Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by th

Configuring and Monitoring Port Security MAC Lockdown Figure 13-11. Connectivity Problems Using MAC Lockdown with Multiple Paths M i x e d U s e r s I

Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so

Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti-cation. You cannot use MAC

Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will overri

Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features

Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password)

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion throug

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 13-12. Example of Multiple Intrusion Log Entries fo

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, a

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 13-13 on page 13

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flags Clear intrusion flags on all ports.

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Listing with Security Violation Detected Log Listing w

Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder

Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LA

14 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section pa

Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n

Using Authorized IP Managers Options Options You can configure: Up to 100 authorized manager addresses, where each address applies to either a sing

Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is th

Using Authorized IP Managers Defining Authorized Management Stations Menu: Viewing and Configuring IP Authorized Managers Only IPv4 is supported

------------------------Using Authorized IP Managers Defining Authorized Management Stations Editing or Deleting an Authorized Manager Entry. Go to

Using Authorized IP Managers Defining Authorized Management Stations ProCurve(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager Figur

Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can conf

Using Authorized IP Managers Web: Configuring IP Authorized Managers access through a web proxy server requires that you first add the web proxy serve

Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to

Using Authorized IP Managers Building IP Masks IP list. Thus, in the example shown above, a “255” in an IP Mask octet (all bits in the octet are “on”)

Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, us

Using Authorized IP Managers Building IP Masks Table 14-3. Example of How the Bitmap in the IP Mask Defines Authorized Manager Addresses 4th Octet of

Using Authorized IP Managers Operating Notes Operating Notes Network Security Precautions: You can enhance your network’s secu-rity by keeping phys

Using Authorized IP Managers Operating Notes 14-14

15 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Key Management System Overview Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be

Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain

Key Management System Configuring Key Chain Management show key-chain Displays the current key chains on the switch and their overall status. For exam

Key Management System Configuring Key Chain Management [ accept-lifetime infinite ] [ send-lifetime infinite ] accept-lifetime infinite: Allows packet

Key Management System Configuring Key Chain Management Note [ key-string < key_str > ] This option specifies the key value referenced by the pro

Key Management System Configuring Key Chain Management Adds a key with full time and date Adds a key with duration expressed in seconds. Figure 15-3.

Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File You can store a

Key Management System Configuring Key Chain Management You can use show key-chain to display the key status at the time the command is issued. Using t

Index Numerics 3DES …8-3 802.1X ACL, effect on … 9-16 802.1X access control authenticate users … 12-5, 12-4, 12-6, 12-4, 12-20 backend state … 12-62 o

terminology … 12-6, 12-29, 12-67, 12-68, 12-69, 12-13, 12-23, 12-24 unauthenticated port … 12-28, 12-22, 12-25, 12-8, 12-41, 12-25, 12-35, 12-25, 12-

configure … 9-65 option … 9-71 traffic … 9-18, 9-72 implicit deny See deny any, implicit. … 9-12, 9-20 See ACL, wildcard. IPX … 9-26 log function, wit

state … 12-62 authorized addresses for IP management security … 14-3, 13-5 authorized IP managers access levels … 14-3 building IP masks … 14-10 confi

verify … 10-5 documentation feature matrix … -xx latest versions … -xix printed in-box publications … -xix release notes … -xix duplicate IP address e

address count … 10-23, 14-1 reserved port numbers … 7-18 IP attribute …5-36 IP masks building … 14-10 for multiple authorized manager stations … 14-1

O open VLAN mode See 802.1X access control. OpenSSH …7-2 OpenSSL …8-2 operating notes authorized IP managers … 14-13 port security … 13-41 operator pa

multiple ACL application types in use … 6-15 NAS-Prompt-User service-type value … 5-14 network accounting … 5-35 operating rules, switch … 5-6, 6-7, 6

saving security credentials to configuration file … 2-12, 2-14, 2-21 snooping authorized server … 10-4, 10-8 binding database … 10-11 changing remote

Configuring Username and Password Security Saving Security Credentials in a Config File By storing different security settings in different files,

configuration, authentication … 4-11, 4-22, 4-18, 4-23, 4-10 encryption key … 4-6, 4-18, 4-19, 4-22, 4-29, 4-26, 4-23, 2-12 general operation … 4-2

SSL … 8-18 unsecured access, SSL … 8-18 web server, proxy … 13-41 wildcard See ACL, wildcard. See ACL. wildcard, ACL, defined …6-11 Index – 11

12 – Index

© Copyright 2009 Hewlett-Packard Development Company, L.P. February 2009 Manual Part Number 5992-5439

2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Username and Password Security Saving Security Credentials in a Config File SNMP security credentials, including SNMPv1 community nam

Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password command has the followin

Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-a

Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-acce

Configuring Username and Password Security Saving Security Credentials in a Config File TACACS+ server application. (The encryption key is sometimes

Configuring Username and Password Security Saving Security Credentials in a Config File The SSH security credential that is stored in the running conf

Configuring Username and Password Security Saving Security Credentials in a Config File To display the SSH public-key configurations (72 characters

Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution When you first enter the include-c

Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-fil

Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable

Disabling or Re-Enabling the Password Recovery Process . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication cred

Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independ

Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop s

Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboo

Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the Test LED to the right of the Clear button begins flas

Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-25) so that the switch

Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recove

Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel

Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the

Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on-clear disabled by

4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Vie

Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complet

Configuring Username and Password Security Front-Panel Security Caution Disabling password-recovery requires that factory-reset be enabled, and lock

Configuring Username and Password Security Front-Panel Security • If you want to abort the command, press [N] (for “No”) Figure 2-13 shows an examp

Configuring Username and Password Security Front-Panel Security Note The alternate password provided by the ProCurve Customer Care Center is valid on

Configuring Username and Password Security Front-Panel Security 2-36

3 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-18 — Configure MAC Authenticati

Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a

Web and MAC Authentication Overview Each new Web/MAC Auth client always initiates a MAC authentication attempt. This same client can also initiate

Web and MAC Authentication How Web and MAC Authentication Operate You configure access to an optional, unauthorized VLAN when you configure Web and MA

RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Authentication Configuration MIB .

Web and MAC Authentication How Web and MAC Authentication Operate Web-based Authentication When a client connects to a Web-Auth enabled port, communi

Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port

Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated due to invalid credentials or a RADIUS server time

Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be force

Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged

Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes The switch supports concurrent 802.1X, Web and MAC authentication op

Web and MAC Authentication Operating Rules and Notes 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the

Web and MAC Authentication Setup Procedure for Web/MAC Authentication Web/MAC Web or MAC authentication and LACP are not supported at the same time o

---- ---------- ---------

Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either